CVE-2023-37369

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.

References

Affected packages

Git / github.com/qt/qtbase

Affected ranges

Type

GIT

Repo

https://github.com/qt/qtbase

Events

Introduced

Fixed

ca725ad9c5331a657c328bf624f2b0b713623276

Introduced

fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17

Fixed

f131837a9fcc83dcfb70a0a91b1baacb6ccf14a2

Introduced

9554d315aa74eaba1726405ee09117e2ebc6111f

Fixed

af457a9f0f7eb1a2a7d11f495da508faab91a442

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.15.15"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.9"
        },
        {
            "introduced": "6.3.0"
        },
        {
            "fixed": "6.5.2"
        }
    ]
}

Affected versions

v5.*

v5.0.0-beta1

v5.0.0-beta2

v5.15.0-alpha1

v5.15.0-beta1

v5.15.0-beta2

v5.15.0-beta3

v5.15.0-beta4

v5.15.10-lts-lgpl

v5.15.11-lts-lgpl

v5.15.12-lts-lgpl

v5.15.13-lts-lgpl

v5.15.14-lts-lgpl

v5.15.3-lts-lgpl

v5.15.4-lts-lgpl

v5.15.5-lts-lgpl

v5.15.6-lts-lgpl

v5.15.7-lts-lgpl

v5.15.8-lts-lgpl

v5.15.9-lts-lgpl

v6.*

v6.0.0-alpha1

v6.0.0-beta1

v6.0.0-beta2

v6.0.0-beta3

v6.0.0-beta4

v6.0.0-beta5

v6.2.0-alpha1

v6.2.0-beta1

v6.2.0-beta2

v6.2.0-beta3

v6.2.0-beta4

v6.2.5-lts-lgpl

v6.2.6-lts-lgpl

v6.2.7-lts-lgpl

v6.2.8-lts-lgpl

v6.5.0-beta1

v6.5.0-beta2

v6.5.0-beta3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37369.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]