CVE-2012-5624
published 2013-02-24CVE-2012-5624: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCPINAN
EPSS
1.94%
77.6th percentile
The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
Affected
61 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| digia | qt | <= 4.8.3 | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
| qt | qt | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Qt vulnerabilities
vendor_ubuntu·2013-02-14·CVSS 4.3
CVE-2012-5624 [MEDIUM] Qt vulnerabilities
Title: Qt vulnerabilities
Summary: Several security issues were fixed in Qt.
Richard J. Moore and Peter Hartmann discovered that Qt allowed redirecting
requests from http to file schemes. If an attacker were able to perform a
machine-in-the-middle attack, this flaw could be exploited to view sensitive
information. This issue only affected Ubuntu 11.10, Ubuntu 12.04 LTS,
and Ubuntu 12.10. (CVE-2012-5624)
Stephen Cheng discovered that Qt may report incorrect errors when ssl
certificate verification fails. (CVE-2012-6093)
Tim Brown and Mark Lowe discovered that Qt incorrectly used weak
permissions on shared memory segments. A local attacker could use this
issue to view sensitive information, or modify program data belonging to
other users. (CVE-2013-0254)
Instructions: After a standard s
Red Hat
Qt: QML XmlHttpRequest insecure redirection
vendor_redhat·2012-11-30·CVSS 4.3
CVE-2012-5624 [MEDIUM] Qt: QML XmlHttpRequest insecure redirection
Qt: QML XmlHttpRequest insecure redirection
The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
Statement: Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 5. This issue did not affect the versions of qt3 and qt as shipped with Red Hat Enterprise Linux 6.
Package: qt (Red Hat Enterprise Linux 5) - Not affected
Package: qt4 (Red Hat Enterprise Linux 5) - Not affected
Package: qt (Red Hat Enterprise Linux 6) - Not affected
Package: qt3 (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-xmh5-6gpf-xj49: The XMLHttpRequest object in Qt before 4
ghsa_unreviewed·2022-05-13
CVE-2012-5624 [MEDIUM] CWE-200 GHSA-xmh5-6gpf-xj49: The XMLHttpRequest object in Qt before 4
The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
bugzilla·2012-12-04·CVSS 4.3
CVE-2012-5624 [MEDIUM] CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme).
References:
[1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
Discussion:
The following builds:
1) qt-4.8.4-1.fc16 for Fedora
Bugzilla
CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection [fedora-all]
bugzilla·2012-12-04·CVSS 4.3
CVE-2012-5624 [MEDIUM] CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection [fedora-all]
CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects mu
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00045.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00048.htmlhttp://lists.qt-project.org/pipermail/announce/2012-November/000014.htmlhttp://qt.gitorious.org/qt/qt/commit/96311def2466dd44de64d77a1c815b22fbf68f71http://secunia.com/advisories/52217http://www.openwall.com/lists/oss-security/2012/12/04/8http://www.ubuntu.com/usn/USN-1723-1https://bugzilla.redhat.com/show_bug.cgi?id=883415https://codereview.qt-project.org/#change%2C40034http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00045.htmlhttp://lists.opensuse.org/opensuse-updates/2013-01/msg00048.htmlhttp://lists.qt-project.org/pipermail/announce/2012-November/000014.htmlhttp://qt.gitorious.org/qt/qt/commit/96311def2466dd44de64d77a1c815b22fbf68f71http://secunia.com/advisories/52217http://www.openwall.com/lists/oss-security/2012/12/04/8http://www.ubuntu.com/usn/USN-1723-1https://bugzilla.redhat.com/show_bug.cgi?id=883415https://codereview.qt-project.org/#change%2C40034
2013-02-24
Published