Improper Authentication in qBittorrent - CVE-2017-12778
Published: May 9, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35921
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12778
CWE-ID: CWE-287
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: qbittorrent.org
Affected software:
qBittorrent
qBittorrent
Detailed vulnerability description
The vulnerability allows a local authenticated user to read and manipulate data.
** DISPUTED ** The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value of the config file at the C:Users<username>RoamingqBittorrent pathname. The attacker must change the value of the "locked" attribute to "false" within the "Locking" stanza. NOTE: This is an intended behavior. See https://github.com/qbittorrent/qBittorrent/wiki/I-forgot-my-UI-lock-password.
How to mitigate CVE-2017-12778
Install update from vendor's website.