{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24607", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T11:03:18.644Z", "dateReserved": "2023-01-29T00:00:00.000Z", "datePublished": "2023-04-15T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:15.456Z"}, "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.qt.io/blog/tag/security"}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:11:26.446866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:21:28.108Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.644Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qt.io/blog/tag/security", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238", "tags": ["x_transferred"]}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d", "tags": ["x_transferred"]}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qt.io/blog/tag/security", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238", "tags": ["x_transferred"]}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d", "tags": ["x_transferred"]}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.644Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:11:26.446866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T15:13:09.574Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.qt.io/blog/tag/security"}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:15.456Z"}}}, "cveMetadata": {"cveId": "CVE-2023-24607", "state": "PUBLISHED", "dateUpdated": "2024-08-02T11:03:18.644Z", "dateReserved": "2023-01-29T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-04-15T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "82BC32FC-2B1F-4FD4-A368-DD37D7FCBA7E", "versionEndExcluding": "5.15.13", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "4911A94E-AA2F-4017-8702-0AF092FF809F", "versionEndExcluding": "6.2.8", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DC66FEF-0D94-4464-B9F8-800A1F9424C0", "versionEndExcluding": "6.4.3", "versionStartIncluding": "6.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "id": "CVE-2023-24607", "lastModified": "2024-11-21T07:48:13.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-15T01:15:07.043", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.qt.io/blog/tag/security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.qt.io/blog/tag/security"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "qt5: A possible DOS involving the Qt SQL ODBC driver plugin", "id": "2187154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187154"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-404", "details": ["Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."], "name": "CVE-2023-24607", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-24607\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24607"], "statement": "This vulnerability is rated as moderate because it allows a remote attacker to cause a denial of service by exploiting the SQL ODBC driver pluginend, by sending a specially crafted string could crash the application, affecting availability but not compromising system security or integrity.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-404: Improper Resource Shutdown or Release vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings necessary for operational requirements. Baseline configurations and system controls ensure secure software configurations, while least functionality reduces the attack surface and mitigates the risk of resource exhaustion from data leaks. The environment incorporates malicious code protections such as IDS/IPS and antimalware solutions to detect threats and provide real-time visibility into resource usage, reducing the likelihood of resource leaks that could cause system instability. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, supporting the detection of abnormal resource usage patterns. Static code analysis and peer reviews enforce strong input validation and error handling to minimize the risk of denial-of-service (DoS) attacks. Lastly, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) strengthen resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}

{}