QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.
The OAuth mechanism requires generating random values (e.g., state tokens, nonce) to secure the authorization flow. In vulnerable Qt versions, the QAbstractOAuth class uses system time as the sole seed for the PRNG, which is a weak source of entropy. By knowing the approximate initialization time, a remote attacker (unauthenticated) can reproduce or predict the generated random values. The CWE-335 class describes this type of error as improper seed usage in a pseudorandom number generator.
An attacker can predict values generated by the PRNG, enabling OAuth session forgery or hijacking, and consequently complete compromise of confidentiality, integrity, and availability of resources protected by the authorization mechanism.
Qt must be updated to version 5.15.17, 6.2.13, 6.5.6, or 6.7.1 (depending on the branch in use). Fedora users should apply package updates according to notices published on Fedora Project mailing lists. Patches are available in Qt project references (codereview.qt-project.org).
Qt before version 5.15.17, Qt 6.x before 6.2.13, Qt 6.3.x–6.5.x before 6.5.6, and Qt 6.6.x–6.7.x before 6.7.1; affects the Qt Network Authorization component (qtnetworkauth). The vulnerability also affects Qt packages in the Fedora distribution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject3940Qt
APPQt< 5.15.176.0.0 – 6.2.13 (bez)6.3.0 – 6.5.6 (bez)6.6.0 – 6.7.1 (bez)
Related vulnerabilities
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox
Integer overflow w Skia w Google Chrome — sandbox escape