CVE-2024-36048 — Incorrect Usage of Seeds in Pseudo-Random Number Generator in QT

CWE-335 — Incorrect Usage of Seeds in Pseudo-Random Number Generator CWE-337 — Predictable Seed in Pseudo-Random Number Generator CWE-1390 — Weak Authentication6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 34.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Fedoraproject Fedora

Timeline

PublishedMay 18

Description

QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDqt/qt6.0.0 — 6.2.13+3

Also affects: Fedora 39, 40

Patches

Patch: codereview.qt-project.org ↗Patch: codereview.qt-project.org ↗Patch: codereview.qt-project.org ↗

🔴Vulnerability Details

OSV

CVE-2024-36048: QAbstractOAuth in Qt Network Authorization in Qt before 5↗2024-05-18

▶

GHSA

GHSA-r8x8-rv8c-j266: QAbstractOAuth in Qt Network Authorization in Qt before 5↗2024-05-18

▶

CVEList

CVE-2024-36048: QAbstractOAuth in Qt Network Authorization in Qt before 5↗2024-05-18

▶

📋Vendor Advisories

Red Hat

qtnetworkauth: badly seeded PRNG may result in guessable values↗2024-05-18

▶

Debian

CVE-2024-36048: qt6-networkauth - QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2....↗2024

▶