1217677 – (CVE-2023-30801) VUL-0: CVE-2023-30801: qbittorrent: default credentials allowed by default

Bug 1217677 (CVE-2023-30801) - VUL-0: CVE-2023-30801: qbittorrent: default credentials allowed by default

Summary: VUL-0: CVE-2023-30801: qbittorrent: default credentials allowed by default

Status:	IN_PROGRESS

Alias:	CVE-2023-30801

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Critical (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/381326/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-30 04:31 UTC by SMASH SMASH
Modified:	2023-12-01 14:23 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-30 04:31:27 UTC

All versions of the qBittorrent client through 4.5.5 use default credentials
when the web user interface is enabled. The administrator is not forced to
change the default credentials. As of 4.5.5, this issue has not been fixed. A
remote attacker can use the default credentials to authenticate and execute
arbitrary operating system commands using the "external program" feature in the
web user interface. This was reportedly exploited in the wild in March 2023.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30801

Comment 1 Luigi Baldoni 2023-11-30 08:11:19 UTC

Update sent.

Comment 2 OBSbugzilla Bot 2023-11-30 08:45:03 UTC

This is an autogenerated message for OBS integration:
This bug (1217677) was mentioned in
https://build.opensuse.org/request/show/1129924 Backports:SLE-15-SP6 / qbittorrent

Comment 3 Marcus Meissner 2023-12-01 10:49:26 UTC

we also need fixes for:

openSUSE:Backports:SLE-15-SP4:Update/qbittorrent
openSUSE:Backports:SLE-15-SP5:Update/qbittorrent

Comment 4 OBSbugzilla Bot 2023-12-01 12:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1217677) was mentioned in
https://build.opensuse.org/request/show/1130210 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / libtorrent-rasterbar
https://build.opensuse.org/request/show/1130211 Backports:SLE-15-SP4+Backports:SLE-15-SP5 / qbittorrent