Summary: qBittorrent ignored SSL certificate validation errors for 14 years until a recent update. The software downloads Python executable files and database binaries without verifying the source, opening up potential security vulnerabilities. If users accept prompts, malicious software can be executed. Update checks involve parsing RSS feeds from hardcoded URLs, potentially leading to arbitrary URL injections. A stack overflow hint was discovered in the decompression library. Hardcoded URLs can be exploited by malicious scripts in a MITM context. It is recommended to upgrade to version 5.0.1 manually and be cautious of potential security risks when using qBittorrent.
Controversial: The lack of certificate validation, hardcoded URLs, and potential for exploitation pose significant security risks to users of qBittorrent. The fact that the software downloaded executable files without verification is alarming and could lead to serious vulnerabilities.
Unique: The detailed breakdown of specific vulnerabilities within the qBittorrent software, along with the clever scripting possibilities using mitmproxy, provide insight into potential security risks that users may face. The mention of CVE-2019-13640 and CVE-2022-37434 highlight the importance of addressing such vulnerabilities promptly.
https://sharpsec.run/rce-vulnerability-in-qbittorrent/