CVE-2024-51774: 
NixOS vulnerability analysis and mitigation

qBittorrent before version 5.0.1 contained a critical security vulnerability (CVE-2024-51774) where the application proceeded with using HTTPS URLs even after certificate validation errors. This vulnerability existed for 14 years and 6 months, from April 6, 2010, until being patched on October 12, 2024. The issue affected all platforms and versions of qBittorrent up to (but not including) version 5.0.1 (Sharp Security).

The vulnerability stemmed from the DownloadManager class ignoring all SSL certificate validation errors through the implementation of the ignoreSslErrors function. This was originally implemented as a quick fix to enable HTTPS protocol support in the torrent/RSS downloader. The issue received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (NVD).

The vulnerability exposed users to potential man-in-the-middle (MITM) attacks and remote code execution (RCE). The impact was particularly severe due to the application's various features that rely on HTTPS connections, including searches, .torrent downloads, RSS feeds, favicon downloads, and automatic updates. On Windows systems, the vulnerability could be exploited to download and execute malicious files under the guise of Python runtime updates or program updates (Sharp Security).

Users are advised to upgrade to qBittorrent version 5.0.1 or later, which fixes the SSL certificate validation issue. The update should be downloaded manually through a browser rather than using the in-app update feature. Alternatively, users can switch to other torrent clients like Deluge or Transmission that are not affected by this vulnerability (Sharp Security, ASEC).

The security community expressed concern about the longevity of the vulnerability and its potential impact. The issue was initially considered theoretical by the project maintainers, but was later assigned CVE-2024-51774 within 48 hours of public disclosure. The disclosure process involved approximately 45 days of communication with the developers before public announcement (Sharp Security).