8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.68 Medium
EPSS
Percentile
97.9%
An issue on Windows with the GDI font engine has been reported and has been assigned the CVE id CVE-2023-43114.
When corrupt font data is passed to the GDI font engine via QFontDatabase::addApplicationFont[FromData] then it can trigger a crash in the application.
Solution: As a workaround, validate that the font is safe to use beforehand. Or apply the following patch or update to Qt 5.15.16, Qt 6.2.10, Qt 6.5.3, Qt 6.6.0
Patches:
dev: <https://codereview.qt-project.org/c/qt/qtbase/+/503026>
6.5: <https://download.qt.io/official_releases/qt/6.5/CVE-2023-43114-6.5.patch>
6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-43114-6.2.patch>
5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-43114-5.15.patch>
An issue in the libwebp library has been recently reported and assigned the CVE id CVE-2023-4863.
When a malicious WebP image is passed to the library then it can cause a buffer overflow.
Solution: As a workaround, update the WebP library manually to 1.3.2 and rebuild the imageformat plugin. Alternatively, apply the corresponding patch or update to Qt 5.15.16, Qt 6.2.10, Qt 6.5.3, Qt 6.6.0
Patches:
dev: <https://codereview.qt-project.org/c/qt/qtimageformats/+/504175>
6.5: <https://download.qt.io/official_releases/qt/6.5/CVE-2023-4863-6.5.patch>
6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-4863-6.2.patch>
5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-4863-5.15.patch>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.68 Medium
EPSS
Percentile
97.9%