CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
Low
Whenever a TLS connection is started for a server that supports HTTP2 and has sent some data to the application then Qt will send data to the server even if the TLS certificate does not match the address it has been redirected too. This has been assigned the CVE id CVE-2024-39936.
This is known to affect all versions of Qt that have support for HTTP2. In earlier versions, this was defaulted to be off, but could be turned on with the relevant attribute.
Solution: As a workaround, the support can be turned off by calling:
setAttribute(QNetworkRequest::Http2AllowedAttribute, false);
on the QNetworkRequest used to start the initial request.
Alternatively update to Qt 6.8.0, Qt 6.7.3, Qt 6.5.7, Qt 6.2.13 or Qt 5.15.18.
Patches:
dev: <https://codereview.qt-project.org/c/qt/qtbase/+/571601>
Qt 6.7 and Qt 6.6: <https://codereview.qt-project.org/c/qt/qtbase/+/574323> or <https://download.qt.io/official_releases/qt/6.7/CVE-2024-39936-qtbase-6.7.patch>
Qt 6.5: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/574426> or <https://download.qt.io/official_releases/qt/6.5/CVE-2024-39936-qtbase-6.5.patch>
Qt 6.2: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575684> or <https://download.qt.io/archive/qt/6.2/CVE-2024-39936-qtbase-6.2.patch>
Qt 5.15: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575980> or <https://download.qt.io/archive/qt/5.15/CVE-2024-39936-qtbase-5.15.patch>