Vulnerability Description
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVSS Score
7.8
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Qt | Qt | >= 5.9.0, < 5.15.9 |
| Linux | Linux Kernel | - |
| Opengroup | Unix | - |
References
- https://codereview.qt-project.org/c/qt/qtbase/+/393113Issue TrackingPatchVendor Advisory
- https://codereview.qt-project.org/c/qt/qtbase/+/394914PatchVendor Advisory
- https://codereview.qt-project.org/c/qt/qtbase/+/396020PatchRelease NotesVendor Advisory
- https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diffPatchVendor Advisory
- https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diffPatchVendor Advisory
- https://codereview.qt-project.org/c/qt/qtbase/+/393113Issue TrackingPatchVendor Advisory
- https://codereview.qt-project.org/c/qt/qtbase/+/394914PatchVendor Advisory
- https://codereview.qt-project.org/c/qt/qtbase/+/396020PatchRelease NotesVendor Advisory
- https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diffPatchVendor Advisory
- https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diffPatchVendor Advisory
FAQ
What is CVE-2022-25255?
CVE-2022-25255 is a vulnerability with a CVSS score of 7.8 (HIGH). In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
How severe is CVE-2022-25255?
CVE-2022-25255 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25255?
Check the references section above for vendor advisories and patch information. Affected products include: Qt Qt, Linux Linux Kernel, Opengroup Unix.