Vulnerability Details : CVE-2023-30801
All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the "external program" feature in the web user interface. This was reportedly exploited in the wild in March 2023.
Products affected by CVE-2023-30801
- cpe:2.3:a:qbittorrent:qbittorrent:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-30801
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-30801
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
VulnCheck | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-30801
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
-
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.Assigned by: disclosure@vulncheck.com (Secondary)
References for CVE-2023-30801
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5WXBKELVZFZNIDONIJESOCSRPIQNCGI/
[SECURITY] Fedora 39 Update: qbittorrent-4.6.1-1.fc39 - package-announce - Fedora Mailing-Lists
-
https://vulncheck.com/advisories/qbittorrent-default-creds
QBittorrent Web UI Default Credentials Leads to RCE | VulnCheck AdvisoriesThird Party Advisory
-
https://github.com/qbittorrent/qBittorrent/issues/18731
Possible RCE being exploited · Issue #18731 · qbittorrent/qBittorrent · GitHubIssue Tracking
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4BNFJR3ZWVLE2YSYIQYBWVDQBBZOLEL/
[SECURITY] Fedora 38 Update: qbittorrent-4.6.1-1.fc38 - package-announce - Fedora Mailing-Lists
Jump to