CVE-2019-13640
published 2019-07-17CVE-2019-13640: In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.91%
94.0th percentile
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qbittorrent | < qbittorrent 4.1.7-1 (bookworm) | qbittorrent 4.1.7-1 (bookworm) |
| qbittorrent | qbittorrent | < 4.1.7 | 4.1.7 |
| qbittorrent | qbittorrent | >= 0 < 4.1.7-1 | 4.1.7-1 |
| qbittorrent | qbittorrent | >= 0 < 4.1.7-1 | 4.1.7-1 |
| qbittorrent | qbittorrent | >= 0 < 4.1.7-1 | 4.1.7-1 |
| qbittorrent | qbittorrent | >= 0 < 4.1.7-1 | 4.1.7-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Command injection occurs in Application::runExternalProgram() via shell metacharacters in the torrent name parameter or current tracker parameter ↗
- →Remote code execution can be triggered via a crafted torrent name embedded within an RSS feed — monitor RSS feed ingestion in qBittorrent for anomalous shell metacharacters in torrent names ↗
- →Vulnerable code path is in app/application.cpp — focus file integrity monitoring and code audits on this file in qBittorrent installations prior to 4.1.7 ↗
- ·Vulnerability only affects qBittorrent versions before 4.1.7; fixed in 4.1.7-1 across Debian (bookworm, bullseye, forky, sid, trixie) and Fedora/EPEL packages ↗
- ·The attack surface requires the 'Run external program on torrent completion' feature to be enabled in qBittorrent settings; shell metacharacters in torrent name or tracker parameter are passed unsanitized to the shell ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjwm-xp4r-6444: In qBittorrent before 4
ghsa_unreviewed·2022-05-24
CVE-2019-13640 [CRITICAL] GHSA-mjwm-xp4r-6444: In qBittorrent before 4
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
OSV
CVE-2019-13640: In qBittorrent before 4
osv·2019-07-17·CVSS 9.8
CVE-2019-13640 [CRITICAL] CVE-2019-13640: In qBittorrent before 4
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
Debian
CVE-2019-13640: qbittorrent - In qBittorrent before 4.1.7, the function Application::runExternalProgram() loca...
vendor_debian·2019·CVSS 9.8
CVE-2019-13640 [CRITICAL] CVE-2019-13640: qbittorrent - In qBittorrent before 4.1.7, the function Application::runExternalProgram() loca...
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
Scope: local
bookworm: resolved (fixed in 4.1.7-1)
bullseye: resolved (fixed in 4.1.7-1)
forky: resolved (fixed in 4.1.7-1)
sid: resolved (fixed in 4.1.7-1)
trixie: resolved (fixed in 4.1.7-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [epel-7]
bugzilla·2019-07-18·CVSS 9.8
CVE-2019-13640 [CRITICAL] CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [epel-7]
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussio
Bugzilla
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [fedora-all]
bugzilla·2019-07-18·CVSS 9.8
CVE-2019-13640 [CRITICAL] CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [fedora-all]
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NO
Bugzilla
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp
bugzilla·2019-07-18·CVSS 9.8
CVE-2019-13640 [CRITICAL] CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp
CVE-2019-13640 qbittorrent: command injection in function Application::runExternalProgram() in app/application.cpp
A vulnerability was discovered in qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
Reference:
https://github.com/qbittorrent/qBittorrent/issues/10925
Discussion:
Created qbittorrent tracking bugs for this issue:
Affects: epel-7 [bug 1731076]
Affects: fedora-all [bug 1731075]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat produ
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00080.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00085.htmlhttps://github.com/qbittorrent/qBittorrent/issues/10925https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T4XAX2VUI4WMAS5AI4OE3OEQSQCDCF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH3WYCKODG4OKMC4S6PWHLHAWWU6ORNC/https://www.debian.org/security/2020/dsa-4650http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00080.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00085.htmlhttp://www.openwall.com/lists/oss-security/2024/10/30/4https://github.com/qbittorrent/qBittorrent/issues/10925https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5T4XAX2VUI4WMAS5AI4OE3OEQSQCDCF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OH3WYCKODG4OKMC4S6PWHLHAWWU6ORNC/https://www.debian.org/security/2020/dsa-4650
2019-07-17
Published