CVE-2023-32762 - OpenCVE

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qt	Qt

Configuration 1 [-]

OR	cpe:2.3:a:qt:qt::::::::
	cpe:2.3:a:qt:qt::::::::
	cpe:2.3:a:qt:qt::::::::

No data.

References

Link	Providers
https://codereview.qt-project.org/c/qt/qtbase/+/476140
https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html
https://lists.qt-project.org/pipermail/announce/2023-May/000414.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-05-28T00:00:00

Updated: 2024-08-19T16:42:12.680Z

Reserved: 2023-05-15T00:00:00

Link: CVE-2023-32762

Vulnrichment

Updated: 2024-08-02T15:25:37.052Z

NVD

Status : Modified

Published: 2023-05-28T23:15:09.570

Modified: 2024-08-19T17:35:06.040

Link: CVE-2023-32762

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-32762", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-19T16:42:12.680Z", "dateReserved": "2023-05-15T00:00:00", "datePublished": "2023-05-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:23.176268"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://codereview.qt-project.org/c/qt/qtbase/+/476140"}, {"url": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305"}, {"url": "https://lists.qt-project.org/pipermail/announce/2023-May/000414.html"}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.052Z"}, "title": "CVE Program Container", "references": [{"url": "https://codereview.qt-project.org/c/qt/qtbase/+/476140", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305", "tags": ["x_transferred"]}, {"url": "https://lists.qt-project.org/pipermail/announce/2023-May/000414.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}]}, {"affected": [{"vendor": "qt", "product": "qtbase", "cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "5.15.14", "versionType": "custom"}]}, {"vendor": "qt", "product": "qtbase", "cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.0", "status": "affected", "lessThan": "6.2.9", "versionType": "custom"}]}, {"vendor": "qt", "product": "qtbase", "cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.3.0", "status": "affected", "lessThan": "6.5.1", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-01T14:17:39.605223Z", "id": "CVE-2023-32762", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T16:42:12.680Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://codereview.qt-project.org/c/qt/qtbase/+/476140", "tags": ["x_transferred"]}, {"url": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305", "tags": ["x_transferred"]}, {"url": "https://lists.qt-project.org/pipermail/announce/2023-May/000414.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.052Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-32762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-01T14:17:39.605223Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "vendor": "qt", "product": "qtbase", "versions": [{"status": "affected", "version": "0", "lessThan": "5.15.14", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "vendor": "qt", "product": "qtbase", "versions": [{"status": "affected", "version": "6.0", "lessThan": "6.2.9", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:qt:qtbase:*:*:*:*:*:*:*:*"], "vendor": "qt", "product": "qtbase", "versions": [{"status": "affected", "version": "6.3.0", "lessThan": "6.5.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T14:34:50.882Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://codereview.qt-project.org/c/qt/qtbase/+/476140"}, {"url": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305"}, {"url": "https://lists.qt-project.org/pipermail/announce/2023-May/000414.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T00:06:23.176268"}}}, "cveMetadata": {"cveId": "CVE-2023-32762", "state": "PUBLISHED", "dateUpdated": "2024-08-19T16:42:12.680Z", "dateReserved": "2023-05-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-05-28T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "006030F9-35BF-489D-8C3F-14ECF93518C3", "versionEndExcluding": "5.15.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "513DDB0D-A132-4046-8B49-D2776E585826", "versionEndExcluding": "6.2.9", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "matchCriteriaId": "116DC3F0-630E-43F6-AD19-0ABB41CF3D70", "versionEndExcluding": "6.5.1", "versionStartIncluding": "6.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match."}], "id": "CVE-2023-32762", "lastModified": "2024-08-19T17:35:06.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-05-28T23:15:09.570", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://codereview.qt-project.org/c/qt/qtbase/+/476140"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "https://lists.qt-project.org/pipermail/announce/2023-May/000414.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}