CVE-2023-32762

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

References

Affected packages

Git / github.com/qt/qt5

Affected ranges

Type: GIT
Repo: https://github.com/qt/qt5
Events: Introduced

1734139bf4629af593e79d247a18f8e511bf7c5e

Fixed

19b7e91751697cb2514ac7dcdbf166655f0de698

Introduced

78410d7e8b7aafdcbb4feea3a943038c7e0a0b5f

Fixed

322d47d25de3cbafd8d6cd2a62e4ed6efc736a4b

Introduced

5bb74ad51f3a976b261c3072d3b49fd9d4c84d0d

Fixed

e6c2b7b2641e6984b59b73df99684c14255710c3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32762.json"

Git / github.com/qt/qtbase

Affected ranges

Type: GIT
Repo: https://github.com/qt/qtbase
Events: Introduced

9554d315aa74eaba1726405ee09117e2ebc6111f

Fixed

55aee8697512af105dfefabc1e2ec41d4df1e45e

Introduced

f6b36eaafec24b4c67efff621d380a4ca4257d0b

Fixed

86c62c8f6088ec148512457cb7e964661ba643b0

Introduced

fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17

Fixed

f131837a9fcc83dcfb70a0a91b1baacb6ccf14a2

Affected versions

v5.*

v5.10.0

v5.10.0-alpha1

v5.10.0-beta1

v5.10.0-beta2

v5.10.0-beta3

v5.10.0-beta4

v5.10.0-rc1

v5.10.0-rc2

v5.10.0-rc3

v5.10.1

v5.11.0

v5.11.0-alpha1

v5.11.0-beta1

v5.11.0-beta2

v5.11.0-beta3

v5.11.0-beta4

v5.11.0-rc1

v5.11.0-rc2

v5.11.1

v5.11.2

v5.11.3

v5.12.0

v5.12.0-alpha1

v5.12.0-beta1

v5.12.0-beta2

v5.12.0-beta3

v5.12.0-beta4

v5.12.0-rc1

v5.12.0-rc2

v5.12.1

v5.12.2

v5.12.3

v5.12.4

v5.12.5

v5.13.0

v5.13.0-alpha1

v5.13.0-beta1

v5.13.0-beta2

v5.13.0-beta3

v5.13.0-beta4

v5.13.0-rc1

v5.13.0-rc2

v5.13.0-rc3

v5.13.1

v5.13.2

v5.14.0

v5.14.0-alpha1

v5.14.0-beta1

v5.14.0-beta2

v5.14.0-beta3

v5.14.0-rc1

v5.14.0-rc2

v5.14.1

v5.14.2

v5.15.0

v5.15.0-alpha1

v5.15.0-beta1

v5.15.0-beta2

v5.15.0-beta3

v5.15.0-beta4

v5.15.0-rc1

v5.15.0-rc2

v5.15.10-lts-lgpl

v5.15.11-lts-lgpl

v5.15.12-lts-lgpl

v5.15.13-lts-lgpl

v5.15.3-lts-lgpl

v5.15.4-lts-lgpl

v5.15.5-lts-lgpl

v5.15.6-lts-lgpl

v5.15.7-lts-lgpl

v5.15.8-lts-lgpl

v5.15.9-lts-lgpl

v5.9.0

v5.9.0-rc2

v5.9.1

v5.9.2

v5.9.3

v5.9.4

v6.*

v6.0.0-alpha1

v6.0.0-beta1

v6.0.0-beta2

v6.0.0-beta3

v6.0.0-beta4

v6.0.0-beta5

v6.2.0-alpha1

v6.2.0-beta1

v6.2.0-beta2

v6.2.0-beta3

v6.2.0-beta4

v6.2.5-lts-lgpl

v6.2.6-lts-lgpl

v6.2.7-lts-lgpl

v6.2.8-lts-lgpl

v6.5.0-beta1

v6.5.0-beta2

v6.5.0-beta3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32762.json"

vanir_signatures

[
    {
        "id": "CVE-2023-32762-95a33edc",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "92376634840184399825365318154288351993",
                "232461204609313989120257745717201240216",
                "320708743009817993507337202164167887441",
                "21308290995217884491005044431632010900",
                "298034914405986548572445818450155724325",
                "171355919169060797509597056785544202524",
                "1069687939198931456973687425830032072",
                "3540876834910303010839964264776335282",
                "119893641728366708810635981190240492131",
                "135558535485227323371703831987671565962",
                "218424658944840923178893068857589239342",
                "180130516929332699035191217939835434911",
                "171902681780682419451758795992574159417",
                "194908686061445372061155934280632091709",
                "25828914292029408919762996279289826136",
                "271381063204330631592675759559091485281",
                "188826755362610565145874472998653610620",
                "61181470149620454368846073938918120330",
                "144456116250144122357606448252883560018",
                "210431344564871427713284927923317729215",
                "33720891528493242799779644168988618648",
                "131451878779952217380213242484707842149",
                "163457716009692412014758585930328269677",
                "48972863578760833987644564696874645146"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/qt/qtbase/commit/55aee8697512af105dfefabc1e2ec41d4df1e45e",
        "target": {
            "file": "src/network/kernel/qdnslookup_unix.cpp"
        },
        "deprecated": false
    },
    {
        "id": "CVE-2023-32762-b3d99a5e",
        "signature_type": "Function",
        "digest": {
            "function_hash": "328679296815467547461728943587483981886",
            "length": 7904.0
        },
        "signature_version": "v1",
        "source": "https://github.com/qt/qtbase/commit/55aee8697512af105dfefabc1e2ec41d4df1e45e",
        "target": {
            "function": "QDnsLookupRunnable::query",
            "file": "src/network/kernel/qdnslookup_unix.cpp"
        },
        "deprecated": false
    }
]