CVE-2020-13962 — Unchecked Error Condition in Mumble
Severity
7.5HIGHNVD
EPSS
1.6%
top 18.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 9
Latest updateMar 5
Description
Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Also affects: Fedora 31, 32, 33
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4Red Hat▶
qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications↗2020-06-09
Microsoft▶
Qt 5.12.2 through 5.14.2 as used in unofficial builds of Mumble 1.3.0 and other products mishandles OpenSSL's error queue which can cause a denial of service to QSslSocket users. Because errors leak i↗2020-06-09
Debian▶
CVE-2020-13962: qtbase-opensource-src - Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other...↗2020
💬Community
3Bugzilla▶
CVE-2020-13962 mumble: qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications [fedora-all]↗2020-06-22
Bugzilla▶
CVE-2020-13962 qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications↗2020-06-22
Bugzilla▶
CVE-2020-13962 qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications [fedora-all]↗2020-06-22