7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.3%
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and
UNIX, QProcess could execute a binary from the current working directory
when not found in the PATH.
Author | Note |
---|---|
mdeslaur | introduced by: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=28666d167aa8e602c0bea25ebc4d51b55005db13 which seems to have been introduced in Qt 5.10, not 5.9 as the CVE description suggests. |
codereview.qt-project.org/c/qt/qtbase/+/393113
codereview.qt-project.org/c/qt/qtbase/+/394914
codereview.qt-project.org/c/qt/qtbase/+/396020
download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
download.qt.io/official_releases/qt/6.2/qprocess6-2.diff
launchpad.net/bugs/cve/CVE-2022-25255
nvd.nist.gov/vuln/detail/CVE-2022-25255
security-tracker.debian.org/tracker/CVE-2022-25255
www.cve.org/CVERecord?id=CVE-2022-25255
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
14.3%