Whenever a TLS connection is started for a server that supports HTTP2 and has sent some data to the application then Qt will send data to the server even if the TLS certificate does not match the address it has been redirected too. This has been assigned the CVE id CVE-2024-39936.
This is known to affect all versions of Qt that have support for HTTP2. In earlier versions, this was defaulted to be off, but could be turned on with the relevant attribute.
Solution: As a workaround, the support can be turned off by calling:
setAttribute(QNetworkRequest::Http2AllowedAttribute, false);
on the QNetworkRequest used to start the initial request.
Alternatively update to Qt 6.8.0, Qt 6.7.3, Qt 6.5.7, Qt 6.2.13 or Qt 5.15.18.
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/571601
Qt 6.7 and Qt 6.6: https://codereview.qt-project.org/c/qt/qtbase/+/574323 or https://download.qt.io/official_releases/qt/6.7/CVE-2024-39936-qtbase-6.7.patch
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/574426 or https://download.qt.io/official_releases/qt/6.5/CVE-2024-39936-qtbase-6.5.patch
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575684 or https://download.qt.io/archive/qt/6.2/CVE-2024-39936-qtbase-6.2.patch
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575980 or https://download.qt.io/archive/qt/5.15/CVE-2024-39936-qtbase-5.15.patch
