1 枯れ果てた名無し@転載禁止 (f032c852) 2024/11/03 (日) 09:31:46.680 ID:6QQyt4q5m
Sharp Security has unveiled a critical vulnerability that has lingered in the popular torrent client qBittorrent for over 14 years, leaving countless users exposed to potential cyberattacks.
The flaw, deeply rooted in the software’s DownloadManager class, had bypassed SSL certificate validation since April 6, 2010, effectively accepting any SSL certificate regardless of its validity.
The DownloadManager class permeates numerous functions within qBittorrent, affecting core features such as search functions, .torrent downloads, RSS feeds, and even favicon downloads.
Sharp Security’s report highlights the inherent risks this vulnerability introduced, as unverified SSL certificates created an open invitation for potential man-in-the-middle (MITM) attacks. In this context, attackers could intercept and alter traffic, gaining access to sensitive data or installing malicious code under the guise of legitimate downloads.
https://securityonline.info/14-year-vulnerability-in-qbittorrent-leaves-millions-exposed-to-rce-attacks/