CVE-2023-30801: 
NixOS vulnerability analysis and mitigation

CVE-2023-30801 affects all versions of the qBittorrent client through 4.5.5, where the web user interface uses default credentials without requiring administrators to change them. This vulnerability was discovered and reported in March 2023, and remained unpatched as of version 4.5.5 (VulnCheck Advisory, NVD).

The vulnerability stems from the web user interface's use of default credentials without enforcing a password change. When the web interface is enabled, it allows remote attackers to authenticate using these default credentials. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (CRITICAL), indicating its severe nature. The issue is classified under CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials) (NVD).

Once authenticated using the default credentials, an attacker can execute arbitrary operating system commands through the web interface's "external program" feature. This effectively grants the attacker remote code execution capabilities on the affected system (NVD).

While no official patch was available as of version 4.5.5, users are advised to change the default credentials immediately after installation and disable the external program execution feature if not required. Fedora has released updates (version 4.6.1) addressing this vulnerability for both Fedora 38 and 39 (Fedora Update).

The vulnerability has garnered attention from the security community, with researchers highlighting the risks of default credentials in widely-used software. The issue was initially reported through GitHub, where security researchers documented active exploitation attempts (GitHub Issue).