First published: Sun May 28 2023(Updated: )
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Qt Qt | >=6.3.0<6.5.1 | |
Qt Qt | >=6.0.0<6.2.9 | |
Qt Qt | <5.15.14 | |
F5 BIG-IP | >=17.1.0<=17.1.1 | |
F5 BIG-IP | >=16.1.0<=16.1.5 | |
F5 BIG-IP | >=15.1.0<=15.1.10 | |
F5 APM Clients | >=7.2.3<=7.2.5 | |
F5 Traffix SDC | =5.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2023-32762.
The severity rating of CVE-2023-32762 is medium with a severity value of 5.3.
Qt versions before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1 are affected by CVE-2023-32762.
CVE-2023-32762 exploits the vulnerability by incorrectly parsing the strict-transport-security (HSTS) header in Qt Network, allowing unencrypted connections to be established even when explicitly prohibited by the server.
Yes, you can find references related to CVE-2023-32762 at the following links: [Link 1](https://lists.qt-project.org/pipermail/announce/2023-May/000414.html), [Link 2](https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305), [Link 3](https://codereview.qt-project.org/c/qt/qtbase/+/476140).