Required CVE Record Information
Description
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
References 4 Total
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- lists.debian.org: [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update mailing-list
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 4 Total
- https://codereview.qt-project.org/c/qt/qtbase/+/476140 x_transferred
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305 x_transferred
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html x_transferred
- lists.debian.org: [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update mailing-listx_transferred