Detections
Analytics
Debian DSA-4650-1 : qbittorrent - security update
critical Nessus Plugin ID 135191
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Miguel Onoro reported that qbittorrent, a bittorrent client with a Qt5 GUI user interface, allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, which could result in remote command execution via a crafted name within an RSS feed if qbittorrent is configured to run an external program on torrent completion.Solution
Upgrade the qbittorrent packages.For the oldstable distribution (stretch), this problem has been fixed in version 3.3.7-3+deb9u1.
For the stable distribution (buster), this problem has been fixed in version 4.1.5-1+deb10u1.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932539
https://security-tracker.debian.org/tracker/source-package/qbittorrent
https://packages.debian.org/source/stretch/qbittorrent
Plugin Details
Severity: Critical
ID: 135191
File Name: debian_DSA-4650.nasl
Version: 1.3
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 4/3/2020
Updated: 3/19/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-13640
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:qbittorrent, cpe:/o:debian:debian_linux:10.0, cpe:/o:debian:debian_linux:9.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/2/2020
Vulnerability Publication Date: 7/17/2019
Reference Information
CVE: CVE-2019-13640
DSA: 4650