Security Advisory: Qt Network

2023-05-2300:00:00

Andy Shaw

www.qt.io

qt network

hsts header

unencrypted connections

man-in-the-middle attacks

patch

update

qt 5.15.14

qt 6.2.9

qt 6.5.1

security advisory

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

37.4%

JSON

Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: <https://codereview.qt-project.org/c/qt/qtbase/+/477560>
Qt 6.5: <https://codereview.qt-project.org/c/qt/qtbase/+/476494> or <https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff>
Qt 6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff>
Qt 5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff>