CVE-2023-32762

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-32762
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32762.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-32762
Downstream
Related
Published
2023-05-28T23:15:09.570Z
Modified
2026-04-12T03:51:16.934406Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

References

Affected packages

Git / github.com/qt/qtbase

Affected ranges

Type
GIT
Repo
https://github.com/qt/qtbase
Events
Introduced
f6b36eaafec24b4c67efff621d380a4ca4257d0b
Fixed
86c62c8f6088ec148512457cb7e964661ba643b0
Introduced
fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17
Fixed
f131837a9fcc83dcfb70a0a91b1baacb6ccf14a2
Introduced
9554d315aa74eaba1726405ee09117e2ebc6111f
Fixed
55aee8697512af105dfefabc1e2ec41d4df1e45e
Fixed
1b736a815be0222f4b24289cf17575fc15707305
Database specific 
{
    "versions": [
        {
            "introduced": "5.9.0"
        },
        {
            "fixed": "5.15.14"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.9"
        },
        {
            "introduced": "6.3.0"
        },
        {
            "fixed": "6.5.1"
        }
    ]
}

Database specific

vanir_signatures_modified 
"2026-04-12T03:51:16Z"
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32762.json"
vanir_signatures 
[
    {
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2023-32762-1d1a0a9d",
        "source": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305",
        "signature_version": "v1",
        "target": {
            "file": "src/network/access/qhsts.cpp"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "198455504285215276206513920714838399588",
                "280746894577215508959761652343184383218",
                "248521215612386692078688414216867720462",
                "66058527147137772403119859541830059642"
            ]
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2023-32762-65be528c",
        "source": "https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305",
        "signature_version": "v1",
        "target": {
            "file": "tests/auto/network/access/hsts/tst_qhsts.cpp",
            "function": "tst_QHsts::testSTSHeaderParser"
        },
        "digest": {
            "length": 3714.0,
            "function_hash": "202253668995713526950139037894621624785"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2023-32762-95a33edc",
        "source": "https://github.com/qt/qtbase/commit/55aee8697512af105dfefabc1e2ec41d4df1e45e",
        "signature_version": "v1",
        "target": {
            "file": "src/network/kernel/qdnslookup_unix.cpp"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "92376634840184399825365318154288351993",
                "232461204609313989120257745717201240216",
                "320708743009817993507337202164167887441",
                "21308290995217884491005044431632010900",
                "298034914405986548572445818450155724325",
                "171355919169060797509597056785544202524",
                "1069687939198931456973687425830032072",
                "3540876834910303010839964264776335282",
                "119893641728366708810635981190240492131",
                "135558535485227323371703831987671565962",
                "218424658944840923178893068857589239342",
                "180130516929332699035191217939835434911",
                "171902681780682419451758795992574159417",
                "194908686061445372061155934280632091709",
                "25828914292029408919762996279289826136",
                "271381063204330631592675759559091485281",
                "188826755362610565145874472998653610620",
                "61181470149620454368846073938918120330",
                "144456116250144122357606448252883560018",
                "210431344564871427713284927923317729215",
                "33720891528493242799779644168988618648",
                "131451878779952217380213242484707842149",
                "163457716009692412014758585930328269677",
                "48972863578760833987644564696874645146"
            ]
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2023-32762-b3d99a5e",
        "source": "https://github.com/qt/qtbase/commit/55aee8697512af105dfefabc1e2ec41d4df1e45e",
        "signature_version": "v1",
        "target": {
            "file": "src/network/kernel/qdnslookup_unix.cpp",
            "function": "QDnsLookupRunnable::query"
        },
        "digest": {
            "length": 7904.0,
            "function_hash": "328679296815467547461728943587483981886"
        }
    }
]
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]