Candidate: CVE-2019-13640
PublicDate: 2019-07-17 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640
 https://github.com/qbittorrent/qBittorrent/issues/10925
Description:
 In qBittorrent before 4.1.7, the function Application::runExternalProgram()
 located in app/application.cpp allows command injection via shell
 metacharacters in the torrent name parameter or current tracker parameter,
 as demonstrated by remote command execution via a crafted name within an
 RSS feed.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_qbittorrent:
upstream_qbittorrent: released (4.1.7-1)
precise/esm_qbittorrent: DNE
trusty_qbittorrent: ignored (out of standard support)
trusty/esm_qbittorrent: DNE
xenial_qbittorrent: not-affected (code not present)
bionic_qbittorrent: needed
disco_qbittorrent: ignored (reached end-of-life)
eoan_qbittorrent: not-affected (4.1.7-1)
focal_qbittorrent: not-affected (4.1.7-1)
groovy_qbittorrent: not-affected (4.1.7-1)
hirsute_qbittorrent: not-affected (4.1.7-1)
impish_qbittorrent: not-affected (4.1.7-1)
jammy_qbittorrent: not-affected (4.1.7-1)
devel_qbittorrent: not-affected (4.1.7-1)