CVE-2023-30801

2023-10-1014:15:10

Google

osv.dev

qbittorrent

default credentials

web interface

remote attackers

os commands

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.6%

JSON

All versions of the qBittorrent client through 4.5.5 use default credentials when the web user interface is enabled. The administrator is not forced to change the default credentials. As of 4.5.5, this issue has not been fixed. A remote attacker can use the default credentials to authenticate and execute arbitrary operating system commands using the “external program” feature in the web user interface. This was reportedly exploited in the wild in March 2023.

CPENameOperatorVersion
qbittorrenteqrelease-3.0.0
qbittorrenteq4.4.1-1
qbittorrenteqrelease-4.5.0
qbittorrenteq4.5.3-3
qbittorrenteq4.5.4-1
qbittorrenteq4.4.0-1
qbittorrenteq4.6.2-3
qbittorrenteqrelease-4.5.3
qbittorrenteq4.5.0-1
qbittorrenteq4.5.5-1

Name	Operator	Version
qbittorrent	eq	release-3.0.0
qbittorrent	eq	4.4.1-1
qbittorrent	eq	release-4.5.0
qbittorrent	eq	4.5.3-3
qbittorrent	eq	4.5.4-1
qbittorrent	eq	4.4.0-1
qbittorrent	eq	4.6.2-3
qbittorrent	eq	release-4.5.3
qbittorrent	eq	4.5.0-1
qbittorrent	eq	4.5.5-1