5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
37.4%
Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.
Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1
Patches:
dev: <https://codereview.qt-project.org/c/qt/qtbase/+/477560>
Qt 6.5: <https://codereview.qt-project.org/c/qt/qtbase/+/476494> or <https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff>
Qt 6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff>
Qt 5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff>
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
37.4%