Lucene search

K
qtAndy ShawQT:518BB1DF647B8E9AA8A5C4FB5ED3D028
HistoryMay 23, 2023 - 12:00 a.m.

Security Advisory: Qt Network

2023-05-2300:00:00
Andy Shaw
www.qt.io
18
qt network
hsts header
unencrypted connections
man-in-the-middle attacks
patch
update
qt 5.15.14
qt 6.2.9
qt 6.5.1
security advisory

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

40.2%

Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: <https://codereview.qt-project.org/c/qt/qtbase/+/477560&gt;
Qt 6.5: <https://codereview.qt-project.org/c/qt/qtbase/+/476494&gt; or <https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff&gt;
Qt 6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff&gt;
Qt 5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff&gt;

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

40.2%