CVE-2023-30801

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-30801
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30801.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-30801
Published
2023-10-10T14:15:10Z
Modified
2024-06-30T13:20:11.813093Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

References

Affected packages

Debian:11 / qbittorrent

Package

Name
qbittorrent
Purl
pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.2.5-0.1
4.3.8-1
4.3.9-1
4.3.9-2
4.4.0-1
4.4.0-2
4.4.1-1
4.4.1-2
4.4.1-3
4.4.2-1
4.4.3-1
4.4.3.1-1
4.4.4-1
4.4.5-1
4.5.0-1
4.5.0-2
4.5.1-1
4.5.2-1
4.5.2-2
4.5.2-3
4.5.3-1
4.5.3-2
4.5.3-3
4.5.3-4
4.5.4-1
4.5.5-1
4.6.0-1
4.6.1-1
4.6.1-2
4.6.2-1
4.6.2-2
4.6.2-3
4.6.3-1
4.6.4-1
4.6.4-2
4.6.4-3
4.6.5-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / qbittorrent

Package

Name
qbittorrent
Purl
pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.5.2-3
4.5.2-3+deb12u1
4.5.3-1
4.5.3-2
4.5.3-3
4.5.3-4
4.5.4-1
4.5.5-1
4.6.0-1
4.6.1-1
4.6.1-2
4.6.2-1
4.6.2-2
4.6.2-3
4.6.3-1
4.6.4-1
4.6.4-2
4.6.4-3
4.6.5-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / qbittorrent

Package

Name
qbittorrent
Purl
pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.5.2-3
4.5.3-1
4.5.3-2
4.5.3-3
4.5.3-4
4.5.4-1
4.5.5-1
4.6.0-1
4.6.1-1
4.6.1-2
4.6.2-1
4.6.2-2
4.6.2-3
4.6.3-1
4.6.4-1
4.6.4-2
4.6.4-3
4.6.5-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/qbittorrent/qbittorrent

Affected ranges

Type
GIT
Repo
https://github.com/qbittorrent/qbittorrent
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

release-2.*

release-2.9.0

release-3.*

release-3.0.0

release-4.*

release-4.4.0beta1
release-4.4.0beta2
release-4.4.0beta3
release-4.4.0rc1
release-4.5.0
release-4.5.0beta1
release-4.5.1
release-4.5.2
release-4.5.3
release-4.5.4
release-4.5.5