Qt up to 5.15.8/6.2.3 on Linux/Unix QProcess privilege escalation

Summaryinfo

A vulnerability marked as critical has been reported in Qt up to 5.15.8/6.2.3 on Linux/Unix. This affects an unknown function of the component QProcess. This manipulation causes an unknown weakness. This vulnerability is tracked as CVE-2022-25255. The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Qt up to 5.15.8/6.2.3 on Linux/Unix. Affected by this vulnerability is an unknown code of the component QProcess. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was disclosed 02/17/2022. It is possible to read the advisory at codereview.qt-project.org. This vulnerability is known as CVE-2022-25255 since 02/16/2022. The technical details are unknown and an exploit is not publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 209828 (CBL Mariner 2.0 Security Update: qt5-qtbase (CVE-2022-25255)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.15.9 or 6.2.4 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (209828) and CERT Bund (WID-SEC-2022-1991). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Affected

• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Red Hat OpenShift
• Open Source QT

Productinfo

Name

• Qt

Version

• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 6.2.0
• 6.2.1
• 6.2.2
• 6.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion