CVE-2020-13962
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/06/2020
Last modified:
07/11/2023
Description
Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mumble:mumble:1.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* | 5.12.2 (including) | 5.12.9 (excluding) |
| cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* | 5.13.0 (including) | 5.13.2 (including) |
| cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:* | 5.14.0 (including) | 5.14.2 (including) |
| cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* | ||
| cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
- https://bugreports.qt.io/browse/QTBUG-83450
- https://github.com/mumble-voip/mumble/issues/3679
- https://github.com/mumble-voip/mumble/pull/4032
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4X6EDPIIAQPVP2CHL2CHDHJ25EECA7UE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQJDBZUYMMF4R5QQKD2HTIKQU2NSKO63/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3IZY7LKJ6NAXQDFYFR4S7L5BBHYK53K/
- https://security.gentoo.org/glsa/202007-18