CVE-2020-13962

moderate-risk

Published 2020-06-09

Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.)

Do I need to act?

1.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (6)

Fedora

Leap

Mumble

Affected Vendors

Fedoraproject Qt Opensuse Mumble

References (16)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html

Issue Tracking https://bugreports.qt.io/browse/QTBUG-83450

Exploit https://github.com/mumble-voip/mumble/issues/3679

Patch https://github.com/mumble-voip/mumble/pull/4032

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202007-18

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html

Issue Tracking https://bugreports.qt.io/browse/QTBUG-83450

Exploit https://github.com/mumble-voip/mumble/issues/3679

Patch https://github.com/mumble-voip/mumble/pull/4032

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202007-18

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 13/34 · Low