CVE-2023-30801

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30801

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30801.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-30801

Related

Published

2023-10-10T14:15:10Z

Modified

2025-02-13T19:49:10.865916Z

Downstream

openSUSE-SU-2023:0391-1

openSUSE-SU-2024:13477-1

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.

References

Affected packages

Debian:11 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.2.5-0.1

4.3.8-1

4.3.9-1

4.3.9-2

4.4.0-1

4.4.0-2

4.4.1-1

4.4.1-2

4.4.1-3

4.4.2-1

4.4.3-1

4.4.3.1-1

4.4.4-1

4.4.5-1

4.5.0-1

4.5.0-2

4.5.1-1

4.5.2-1

4.5.2-2

4.5.2-3

4.5.3-1

4.5.3-2

4.5.3-3

4.5.3-4

4.5.4-1

4.5.5-1

4.6.0-1

4.6.1-1

4.6.1-2

4.6.2-1

4.6.2-2

4.6.2-3

4.6.3-1

4.6.4-1

4.6.4-2

4.6.4-3

4.6.5-1

4.6.6-1

4.6.7-1

5.*

5.0.0-1

5.0.1-1

5.0.2-1

5.0.3-1

5.0.3-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.5.2-3

4.5.2-3+deb12u1

4.5.3-1

4.5.3-2

4.5.3-3

4.5.3-4

4.5.4-1

4.5.5-1

4.6.0-1

4.6.1-1

4.6.1-2

4.6.2-1

4.6.2-2

4.6.2-3

4.6.3-1

4.6.4-1

4.6.4-2

4.6.4-3

4.6.5-1

4.6.6-1

4.6.7-1

5.*

5.0.0-1

5.0.1-1

5.0.2-1

5.0.3-1

5.0.3-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / qbittorrent

Package

Name: qbittorrent
Purl: pkg:deb/debian/qbittorrent?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.5.2-3

4.5.3-1

4.5.3-2

4.5.3-3

4.5.3-4

4.5.4-1

4.5.5-1

4.6.0-1

4.6.1-1

4.6.1-2

4.6.2-1

4.6.2-2

4.6.2-3

4.6.3-1

4.6.4-1

4.6.4-2

4.6.4-3

4.6.5-1

4.6.6-1

4.6.7-1

5.*

5.0.0-1

5.0.1-1

5.0.2-1

5.0.3-1

5.0.3-2

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/qbittorrent/qbittorrent

Affected ranges

Type: GIT
Repo: https://github.com/qbittorrent/qbittorrent
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

7d7097b024788814cf74b05ca6857d074467285e

Affected versions

release-2.*

release-2.9.0

release-3.*

release-3.0.0

release-4.*

release-4.4.0beta1

release-4.4.0beta2

release-4.4.0beta3

release-4.4.0rc1

release-4.5.0

release-4.5.0beta1

release-4.5.1

release-4.5.2

release-4.5.3

release-4.5.4

release-4.5.5