{"id":"UBUNTU-CVE-2023-38197","details":"An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.","modified":"2026-05-20T16:07:39.712714326Z","published":"2023-07-13T02:15:00Z","upstream":["CVE-2023-38197"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-38197"},{"type":"REPORT","url":"https://codereview.qt-project.org/c/qt/qtbase/+/488960"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-38197"}],"affected":[{"package":{"name":"qt6-base","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/qt6-base?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.2.2+dfsg-5ubuntu1","6.2.2+dfsg-6ubuntu1","6.2.2+dfsg-6ubuntu2","6.2.4+dfsg-1ubuntu1","6.2.4+dfsg-2ubuntu1","6.2.4+dfsg-2ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libqt6concurrent6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6core6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6dbus6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6gui6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6network6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6opengl6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6openglwidgets6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6printsupport6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6-ibase","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6-mysql","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6-odbc","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6-psql","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6sql6-sqlite","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6test6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6widgets6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"libqt6xml6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qmake6","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qmake6-bin","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qt6-base-dev-tools","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qt6-gtk-platformtheme","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qt6-qpa-plugins","binary_version":"6.2.4+dfsg-2ubuntu1.1"},{"binary_name":"qt6-xdgdesktopportal-platformtheme","binary_version":"6.2.4+dfsg-2ubuntu1.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38197.json"}},{"package":{"name":"qt6-base","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/qt6-base?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.4.2+dfsg-18","6.4.2+dfsg-19","6.4.2+dfsg-19build1","6.4.2+dfsg-20","6.4.2+dfsg-21","6.4.2+dfsg-21.1build4","6.4.2+dfsg-21.1build5"],"ecosystem_specific":{"binaries":[{"binary_name":"libqt6concurrent6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6core6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6dbus6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6gui6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6network6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6opengl6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6openglwidgets6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6printsupport6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6-ibase","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6-mysql","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6-odbc","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6-psql","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6-sqlite","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6sql6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6test6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6widgets6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"libqt6xml6t64","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qmake6","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qmake6-bin","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-base-dev-tools","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-base-doc-html","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-base-examples","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-gtk-platformtheme","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-qpa-plugins","binary_version":"6.4.2+dfsg-21.1build5"},{"binary_name":"qt6-xdgdesktopportal-platformtheme","binary_version":"6.4.2+dfsg-21.1build5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38197.json"}},{"package":{"name":"qt6-base","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/qt6-base?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.8.3+dfsg-0ubuntu2","6.8.3+dfsg-0ubuntu3","6.9.2+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"libqt6concurrent6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6core6t64","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6dbus6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6gui6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6network6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6opengl6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6openglwidgets6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6printsupport6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6-ibase","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6-mysql","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6-odbc","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6-psql","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6sql6-sqlite","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6test6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6widgets6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"libqt6xml6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qmake6","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qmake6-bin","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-base-dev-tools","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-base-doc-html","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-base-examples","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-gtk-platformtheme","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-qpa-plugins","binary_version":"6.9.2+dfsg-1ubuntu1"},{"binary_name":"qt6-xdgdesktopportal-platformtheme","binary_version":"6.9.2+dfsg-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38197.json"}},{"package":{"name":"qt6-base","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/qt6-base?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.9.2+dfsg-1ubuntu1","6.9.2+dfsg-2","6.9.2+dfsg-3ubuntu1","6.9.2+dfsg-3ubuntu2","6.9.2+dfsg-4","6.10.2+dfsg-3","6.10.2+dfsg-6","6.10.2+dfsg-7"],"ecosystem_specific":{"binaries":[{"binary_name":"libqt6concurrent6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6core6t64","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6dbus6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6gui6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6network6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6opengl6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6openglwidgets6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6printsupport6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6-ibase","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6-mysql","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6-odbc","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6-psql","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6sql6-sqlite","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6test6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6waylandclient6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6widgets6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6wlshellintegration6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"libqt6xml6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qmake6","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qmake6-bin","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-base-dev-tools","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-base-doc-html","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-base-examples","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-gtk-platformtheme","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-qpa-plugins","binary_version":"6.10.2+dfsg-7"},{"binary_name":"qt6-xdgdesktopportal-platformtheme","binary_version":"6.10.2+dfsg-7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38197.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}