CVE-2023-32762

MEDIUM

Qt <5.15.14, 6.x <6.2.9, 6.3.x-6.5.x <6.5.1 - Info Disclosure

Title source: llm

Description

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

References (4)

Core 4

Core References

Patch

https://codereview.qt-project.org/c/qt/qtbase/+/476140

Patch

https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305

View Patch ZIP pw:eip

Mailing List, Patch

https://lists.qt-project.org/pipermail/announce/2023-May/000414.html

Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

Status published

Products (2)

debian/debian_linux 10.0

qt/qt 5.9.0 - 5.15.14

Published May 28, 2023

Tracked Since Feb 18, 2026