Description
QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1504-1
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49895
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0880.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/41236
Patch x_refsource_confirm
http://qt.gitorious.org/qt/qt/commit/846f1b44eea4bb34d080d055badb40a4a13d369e
Exploit, Patch x_refsource_confirm
http://qt.gitorious.org/qt/qt/commit/5f6018564668d368f75e431c4cdac88d7421cff0
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49604
Various Sources x_refsource_misc
http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
Various Sources x_refsource_confirm
https://bugreports.qt-project.org/browse/QTBUG-4455
Scores
EPSS
0.0140
EPSS Percentile
69.4%
Details
CWE
CWE-20
Status
published
Products (30)
digia/qt
< 4.6.4
qt/qt
4.0.0
qt/qt
4.0.1
qt/qt
4.1.0
qt/qt
4.1.1
qt/qt
4.1.2
qt/qt
4.1.3
qt/qt
4.1.4
qt/qt
4.1.5
qt/qt
4.2.0
... and 20 more
Published
Jun 29, 2012
Tracked Since
Feb 18, 2026