#VU20394 Command Injection in qBittorrent


Published: 2019-08-26

Vulnerability identifier: #VU20394

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13640

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
qBittorrent
Client/Desktop applications / Other client software

Vendor: qbittorrent.org

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to the "Application::runExternalProgram()" function in "app/application.cpp" allows command injection via shell metacharacters in the torrent name parameter. A remote attacker can inject arbitrary commands via a crafted name within an RSS feed and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

qBittorrent: 0.9.2 - 4.1.6

External links
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00080.html
http://github.com/qbittorrent/qBittorrent/issues/10925

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for qbittorrent
OpenSUSE Linux update for qbittorrent
Command Injection in qbittorrent-nox (Alpine package)
OpenSUSE Linux update for qbittorrent
Command injection in qBittorrent