CVE-2023-24607 - Vulnerability Details - OpenCVE

Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00463.

Key SSVC decision points have not yet been added.

Vendors	Products
Qt	Qt

Configuration 1 [-]

OR	cpe:2.3:a:qt:qt::::::::
	cpe:2.3:a:qt:qt::::::::
	cpe:2.3:a:qt:qt::::::::

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3805-1	qtbase-opensource-src security update
EUVD	EUVD-2023-28622	Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
Ubuntu USN	USN-7780-1	Qt vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://codereview.qt-project.org/c/qt/qtbase/+/456216
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html
https://nvd.nist.gov/vuln/detail/CVE-2023-24607
https://www.cve.org/CVERecord?id=CVE-2023-24607
https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://www.qt.io/blog/tag/security

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00295}`	epss `{'score': 0.00304}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-04-15T00:00:00

Updated: 2024-08-02T11:03:18.644Z

Reserved: 2023-01-29T00:00:00

Link: CVE-2023-24607

Vulnrichment

Updated: 2024-08-02T11:03:18.644Z

NVD

Status : Modified

Published: 2023-04-15T01:15:07.043

Modified: 2024-11-21T07:48:13.813

Link: CVE-2023-24607

Redhat

Severity : Moderate

Publid Date: 2023-04-15T00:00:00Z

Links: CVE-2023-24607 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-24607", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T11:03:18.644Z", "dateReserved": "2023-01-29T00:00:00", "datePublished": "2023-04-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:15.456739"}, "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.qt.io/blog/tag/security"}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:11:26.446866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:21:28.108Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.644Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qt.io/blog/tag/security", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238", "tags": ["x_transferred"]}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d", "tags": ["x_transferred"]}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qt.io/blog/tag/security", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217", "tags": ["x_transferred"]}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238", "tags": ["x_transferred"]}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d", "tags": ["x_transferred"]}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:03:18.644Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-24607", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:11:26.446866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T15:13:09.574Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.qt.io/blog/tag/security"}, {"url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:15.456739"}}}, "cveMetadata": {"cveId": "CVE-2023-24607", "state": "PUBLISHED", "dateUpdated": "2024-08-02T11:03:18.644Z", "dateReserved": "2023-01-29T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-04-15T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "82BC32FC-2B1F-4FD4-A368-DD37D7FCBA7E", "versionEndExcluding": "5.15.13", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "4911A94E-AA2F-4017-8702-0AF092FF809F", "versionEndExcluding": "6.2.8", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DC66FEF-0D94-4464-B9F8-800A1F9424C0", "versionEndExcluding": "6.4.3", "versionStartIncluding": "6.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."}], "id": "CVE-2023-24607", "lastModified": "2024-11-21T07:48:13.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-15T01:15:07.043", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.qt.io/blog/tag/security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://codereview.qt-project.org/c/qt/qtbase/+/456216"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.qt.io/blog/tag/security"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "qt5: A possible DOS involving the Qt SQL ODBC driver plugin", "id": "2187154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2187154"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-404", "details": ["Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3."], "name": "CVE-2023-24607", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "qt5", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-24607\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-24607"], "statement": "This vulnerability is rated as moderate because it allows a remote attacker to cause a denial of service by exploiting the SQL ODBC driver pluginend, by sending a specially crafted string could crash the application, affecting availability but not compromising system security or integrity.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-404: Improper Resource Shutdown or Release vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings necessary for operational requirements. Baseline configurations and system controls ensure secure software configurations, while least functionality reduces the attack surface and mitigates the risk of resource exhaustion from data leaks. The environment incorporates malicious code protections such as IDS/IPS and antimalware solutions to detect threats and provide real-time visibility into resource usage, reducing the likelihood of resource leaks that could cause system instability. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, supporting the detection of abnormal resource usage patterns. Static code analysis and peer reviews enforce strong input validation and error handling to minimize the risk of denial-of-service (DoS) attacks. Lastly, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) strengthen resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}