Improper Link Resolution Before File Access in QFileSystemEngine on Windows

Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious Files. Issue originates from CVE-2024-38081. The vulnerability arises from the use of the GetTempPath API, which can be exploited by attackers to manipulate temporary file paths, potentially leading to unauthorized access and privilege escalation. The affected public API in the Qt Framework is QDir::tempPath() and anything that uses it, such as QStandardPaths with TempLocation, QTemporaryDir, and QTemporaryFile.This issue affects all version of Qt up to and including 5.15.18, from 6.0.0 through 6.5.8, from 6.6.0 through 6.8.1. It is fixed in Qt 5.15.19, Qt 6.5.9, Qt 6.8.2, 6.9.0

N/A

在文件访问前对链接解析不恰当(链接跟随)

Qt 安全漏洞

Qt是Qt开源的一个跨平台的应用程序开发框架。 Qt 5.15.18及之前版本、6.0.0至6.5.8版本和6.6.0至6.8.1版本存在安全漏洞，该漏洞源于链接解析不当，可能导致符号链接攻击和使用恶意文件。

N/A

N/A