Security advisory: OAuth1 in QtNetworkAuth
May 24, 2024 by Andy Shaw | Comments
The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed. This issue has been assigned the CVE id CVE-2024-36048.
This means that an attacker that can somehow control the time of the first OAuth1 flow of the process has a high chance of predicting the nonce used in said OAuth flow.
Solution: Apply the corresponding patch for your version or update to Qt 5.15.17, Qt 6.2.13, Qt 6.5.6 or Qt 6.7.1
Patches:
dev: https://codereview.qt-project.org/c/qt/qtnetworkauth/ /560317
6.7: https://codereview.qt-project.org/c/qt/qtnetworkauth/ /560727 or https://download.qt.io/official_releases/qt/6.7/CVE-2024-36048-qtnetworkauth-6.7.diff
6.6: https://download.qt.io/official_releases/qt/6.6/CVE-2024-36048-qtnetworkauth-6.6.diff
6.5: https://codereview.qt-project.org/c/qt/tqtc-qtnetworkauth/ /560726 or https://download.qt.io/official_releases/qt/6.5/CVE-2024-36048-qtnetworkauth-6.5.diff
6.2: https://codereview.qt-project.org/c/qt/tqtc-qtnetworkauth/ /560420 or https://download.qt.io/archive/qt/6.2/CVE-2024-36048-qtnetworkauth-6.2.diff
5.15: https://codereview.qt-project.org/c/qt/tqtc-qtnetworkauth/ /560725 or https://download.qt.io/official_releases/qt/5.15/CVE-2024-36048-qtnetworkauth-5.15.diff
Blog Topics:
Comments
Subscribe to our newsletter
Subscribe Newsletter
Try Qt 6.7 Now!
Download the latest release here: www.qt.io/download.
Qt 6.7 focuses on the expansion of supported platforms and industry standards. This makes code written with Qt more sustainable and brings more value in Qt as a long-term investment.
We're Hiring
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.