Bug 1217677 (CVE-2023-30801)

Summary:	VUL-0: CVE-2023-30801: qbittorrent: default credentials allowed by default
Product:	[openSUSE] openSUSE Distribution	Reporter:	SMASH SMASH <smash_bz>
Component:	Security	Assignee:	Security Team bot <security-team>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Critical
Priority:	P3 - Medium	CC:	aloisio, stoyan.manolov
Version:	Leap 15.6
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/381326/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2023-11-30 04:31:27 UTC

All versions of the qBittorrent client through 4.5.5 use default credentials
when the web user interface is enabled. The administrator is not forced to
change the default credentials. As of 4.5.5, this issue has not been fixed. A
remote attacker can use the default credentials to authenticate and execute
arbitrary operating system commands using the "external program" feature in the
web user interface. This was reportedly exploited in the wild in March 2023.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30801

Comment 1 Luigi Baldoni 2023-11-30 08:11:19 UTC

Update sent.

Comment 2 OBSbugzilla Bot 2023-11-30 08:45:03 UTC

This is an autogenerated message for OBS integration:
This bug (1217677) was mentioned in
https://build.opensuse.org/request/show/1129924 Backports:SLE-15-SP6 / qbittorrent

Comment 3 Marcus Meissner 2023-12-01 10:49:26 UTC

we also need fixes for:

openSUSE:Backports:SLE-15-SP4:Update/qbittorrent
openSUSE:Backports:SLE-15-SP5:Update/qbittorrent

Comment 4 OBSbugzilla Bot 2023-12-01 12:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1217677) was mentioned in
https://build.opensuse.org/request/show/1130210 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / libtorrent-rasterbar
https://build.opensuse.org/request/show/1130211 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / qbittorrent