CVE-2023-32762 — QT vulnerability

7 documents6 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

0.1%

top 68.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Debian Qt6-base Debian Qtbase-opensource-src +8 more

Timeline

PublishedMay 28

Latest updateSep 28

Description

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages10 packages

▶NVDqt/qt5.9.0 — 5.15.14+2

▶debiandebian/qt6-base< qt6-base 6.4.2+dfsg-9 (bookworm)

▶debiandebian/qtbase-opensource-src< qt6-base 6.4.2+dfsg-9 (bookworm)

▶debiandebian/qtbase-opensource-src-gles< qt6-base 6.4.2+dfsg-9 (bookworm)

▶msrcmsrc/cbl_mariner_1.0_arm

Also affects: Debian Linux 10.0

Patches

Patch: codereview.qt-project.org ↗Patch: github.com ↗Patch: lists.qt-project.org ↗

🔴Vulnerability Details

OSV

qtbase-opensource-src vulnerabilities↗2025-09-28

▶

GHSA

GHSA-j8jh-fhfw-jx2c: An issue was discovered in Qt before 5↗2023-05-29

▶

OSV

CVE-2023-32762: An issue was discovered in Qt before 5↗2023-05-28

▶

📋Vendor Advisories

Ubuntu

Qt vulnerabilities↗2025-09-28

▶

Microsoft

An issue was discovered in Qt before 5.15.14 6.x before 6.2.9 and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header allowing unencrypted conne↗2023-05-09

▶

Debian

CVE-2023-32762: qt6-base - An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x throug...↗2023

▶