In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.

The version of qt5-qtbase installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-25255 advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:7482 advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:8022 advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-8022 advisory.

    [5.15.3-1]
    - 5.15.3       Resolves: bz#2061352

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:8022 advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:8022 advisory.

    The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform application framework.

    Security Fix(es):

    * qt: QProcess could execute a binary from the current working directory when not found in the PATH     (CVE-2022-25255)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-7482 advisory.

    [5.15.3-1]
    - 5.15.3       Resolves: bz#2061377

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:7482 advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2022:7482 advisory.

  - qt: QProcess could execute a binary from the current working directory when not found in the PATH     (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:7482 advisory.

    The Qt5 libraries packages provide Qt 5, version 5 of the Qt cross-platform application framework.

    The following packages have been upgraded to a later upstream version: qt5 (5.15.3). (BZ#2061377)

    Security Fix(es):

    * qt: QProcess could execute a binary from the current working directory when not found in the PATH     (CVE-2022-25255)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the qt5-qtbase packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0841-1 advisory.

  - The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries     to execute the associated LSP server binary when opening a file of a given type. If this binary is absent     from the PATH, it will try running the LSP server binary in the directory of the file that was just opened     (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted     directory. (CVE-2022-23853)

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0841-1 advisory.

  - The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries     to execute the associated LSP server binary when opening a file of a given type. If this binary is absent     from the PATH, it will try running the LSP server binary in the directory of the file that was just opened     (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted     directory. (CVE-2022-23853)

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 43ae57f6-92ab-11ec-81b4-2cf05d620ecc advisory.

  - In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a     binary from the current working directory when not found in the PATH. (CVE-2022-25255)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
209828	CBL Mariner 2.0 Security Update: qt5-qtbase (CVE-2022-25255)	Nessus	MarinerOS Local Security Checks	high
184601	Rocky Linux 8 : qt5 (RLSA-2022:7482)	Nessus	Rocky Linux Local Security Checks	high
184498	Rocky Linux 9 : qt5 (RLSA-2022:8022)	Nessus	Rocky Linux Local Security Checks	high
168069	Oracle Linux 9 : qt5 (ELSA-2022-8022)	Nessus	Oracle Linux Local Security Checks	high
167997	AlmaLinux 9 : qt5 (ALSA-2022:8022)	Nessus	Alma Linux Local Security Checks	high
167613	RHEL 9 : qt5 (RHSA-2022:8022)	Nessus	Red Hat Local Security Checks	high
167539	Oracle Linux 8 : qt5 (ELSA-2022-7482)	Nessus	Oracle Linux Local Security Checks	high
167313	AlmaLinux 8 : qt5 (ALSA-2022:7482)	Nessus	Alma Linux Local Security Checks	high
167174	CentOS 8 : qt5 (CESA-2022:7482)	Nessus	CentOS Local Security Checks	high
167085	RHEL 8 : qt5 (RHSA-2022:7482)	Nessus	Red Hat Local Security Checks	high
164214	EulerOS 2.0 SP8 : qt5-qtbase (EulerOS-SA-2022-2233)	Nessus	Huawei Local Security Checks	high
159042	openSUSE 15 Security Update : libqt5-qtbase (openSUSE-SU-2022:0841-1)	Nessus	SuSE Local Security Checks	high
158957	SUSE SLED15 / SLES15 Security Update : libqt5-qtbase (SUSE-SU-2022:0841-1)	Nessus	SuSE Local Security Checks	high
158199	FreeBSD : Qt5 -- QProcess unexpected search path (43ae57f6-92ab-11ec-81b4-2cf05d620ecc)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-25255

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high