CVE-2020-24742

EUVD-2020-17453
An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
qtqt
5.6.0 ≤
𝑥
< 5.12.7
qtqt
5.13.0 ≤
𝑥
≤ 5.13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qtbase-opensource-src
bookworm
5.15.8+dfsg-11+deb12u2
fixed
bullseye
5.15.2+dfsg-9+deb11u1
fixed
sid
5.15.15+dfsg-2
fixed
trixie
5.15.13+dfsg-4
fixed
qtbase-opensource-src-gles
bookworm
5.15.8+dfsg-3
fixed
bullseye
5.15.2+dfsg-4
fixed
sid
5.15.15+dfsg-2
fixed
trixie
5.15.13+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qtbase-opensource-src
bionic
not-affected
focal
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
dne
xenial
not-affected
qtbase-opensource-src-gles
bionic
dne
focal
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
dne
xenial
not-affected
References
https://codereview.qt-project.org/c/qt/qtbase/+/280730
https://codereview.qt-project.org/c/qt/qtbase/+/280730