Huge qBittorrent vulnerability - all versions prior to 5.0.1
In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86. The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago.
Reading the article, it explains that since qBittorrent doesn't check SSL certificates, it is open to MITM attacks that send arbitrary files to users' systems. In some cases, qBittorrent could then run the file in the background, allowing for complete access to the system with the same privileges as qBittorrent.
This article went live yesterday, so it's unknown if it is currently being exploited, but it likely will be soon.
I strongly suggest everyone update to 5.0.1. ASAP
I read more of the article, and other parts of the vulnerability affect all operating systems. It's only the first 2 of 4 vulnerabilities that affect specific installation types.
In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86. The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago.
Reading the article, it explains that since qBittorrent doesn't check SSL certificates, it is open to MITM attacks that send arbitrary files to users' systems. In some cases, qBittorrent could then run the file in the background, allowing for complete access to the system with the same privileges as qBittorrent.
This article went live yesterday, so it's unknown if it is currently being exploited, but it likely will be soon.
I strongly suggest everyone update to 5.0.1. ASAP
I read more of the article, and other parts of the vulnerability affect all operating systems. It's only the first 2 of 4 vulnerabilities that affect specific installation types.