csaf_certbund - wid-sec-w-2024-2077

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "QNAP ist ein Hersteller von NAS (Network Attached Storage) L\u00f6sungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in QNAP NAS ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen und erweiterte Rechte zu erlangen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Appliance\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-2077 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-2077.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-2077 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2077"
      },
      {
        "category": "external",
        "summary": "QNAP Security Advisory vom 2024-09-08",
        "url": "https://www.qnap.com/de-de/security-advisory/QSA-24-26"
      },
      {
        "category": "external",
        "summary": "QNAP Security Advisory vom 2024-09-08",
        "url": "https://www.qnap.com/de-de/security-advisory/QSA-24-28"
      },
      {
        "category": "external",
        "summary": "QNAP Security Advisory vom 2024-09-08",
        "url": "https://www.qnap.com/de-de/security-advisory/QSA-24-32"
      },
      {
        "category": "external",
        "summary": "QNAP Security Advisory vom 2024-09-08",
        "url": "https://www.qnap.com/de-de/security-advisory/QSA-24-33"
      },
      {
        "category": "external",
        "summary": "Github Security Advisory",
        "url": "https://github.com/advisories/GHSA-5mrr-fx45-wmm7"
      }
    ],
    "source_lang": "en-US",
    "title": "QNAP NAS QTS and QuTS hero: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-09-08T22:00:00.000+00:00",
      "generator": {
        "date": "2024-09-09T12:07:45.314+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2024-2077",
      "initial_release_date": "2024-09-08T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-09-08T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "QTS \u003c4.3.6.2805",
                "product": {
                  "name": "QNAP NAS QTS \u003c4.3.6.2805",
                  "product_id": "T037334"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 4.3.6.2805",
                "product": {
                  "name": "QNAP NAS QTS 4.3.6.2805",
                  "product_id": "T037334-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__4.3.6.2805"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c4.3.4.2814",
                "product": {
                  "name": "QNAP NAS QTS \u003c4.3.4.2814",
                  "product_id": "T037335"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 4.3.4.2814",
                "product": {
                  "name": "QNAP NAS QTS 4.3.4.2814",
                  "product_id": "T037335-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__4.3.4.2814"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c4.3.3.2784",
                "product": {
                  "name": "QNAP NAS QTS \u003c4.3.3.2784",
                  "product_id": "T037336"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 4.3.3.2784",
                "product": {
                  "name": "QNAP NAS QTS 4.3.3.2784",
                  "product_id": "T037336-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__4.3.3.2784"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c4.2.6",
                "product": {
                  "name": "QNAP NAS QTS \u003c4.2.6",
                  "product_id": "T037337"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 4.2.6",
                "product": {
                  "name": "QNAP NAS QTS 4.2.6",
                  "product_id": "T037337-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__4.2.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c4.5.4.2790",
                "product": {
                  "name": "QNAP NAS QTS \u003c4.5.4.2790",
                  "product_id": "T037338"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 4.5.4.2790",
                "product": {
                  "name": "QNAP NAS QTS 4.5.4.2790",
                  "product_id": "T037338-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__4.5.4.2790"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QuTS hero \u003ch4.5.4.2790",
                "product": {
                  "name": "QNAP NAS QuTS hero \u003ch4.5.4.2790",
                  "product_id": "T037339"
                }
              },
              {
                "category": "product_version",
                "name": "QuTS hero h4.5.4.2790",
                "product": {
                  "name": "QNAP NAS QuTS hero h4.5.4.2790",
                  "product_id": "T037339-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:quts_hero__h4.5.4.2790"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QuTS hero \u003ch5.2.0.2782",
                "product": {
                  "name": "QNAP NAS QuTS hero \u003ch5.2.0.2782",
                  "product_id": "T037340"
                }
              },
              {
                "category": "product_version",
                "name": "QuTS hero h5.2.0.2782",
                "product": {
                  "name": "QNAP NAS QuTS hero h5.2.0.2782",
                  "product_id": "T037340-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:quts_hero__h5.2.0.2782"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c5.2.0.2782",
                "product": {
                  "name": "QNAP NAS QTS \u003c5.2.0.2782",
                  "product_id": "T037341"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 5.2.0.2782",
                "product": {
                  "name": "QNAP NAS QTS 5.2.0.2782",
                  "product_id": "T037341-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__5.2.0.2782"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QTS \u003c5.1.8.2823",
                "product": {
                  "name": "QNAP NAS QTS \u003c5.1.8.2823",
                  "product_id": "T037342"
                }
              },
              {
                "category": "product_version",
                "name": "QTS 5.1.8.2823",
                "product": {
                  "name": "QNAP NAS QTS 5.1.8.2823",
                  "product_id": "T037342-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:qts__5.1.8.2823"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "QuTS hero \u003ch5.1.8.2823",
                "product": {
                  "name": "QNAP NAS QuTS hero \u003ch5.1.8.2823",
                  "product_id": "T037343"
                }
              },
              {
                "category": "product_version",
                "name": "QuTS hero h5.1.8.2823",
                "product": {
                  "name": "QNAP NAS QuTS hero h5.1.8.2823",
                  "product_id": "T037343-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/h:qnap:nas:quts_hero__h5.1.8.2823"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "NAS"
          }
        ],
        "category": "vendor",
        "name": "QNAP"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-34974",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in QNAP NAS QTS und QuTS hero. Diese Fehler sind auf eine OS-Befehlsinjektionsschwachstelle zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer mit Benutzer- oder Administratorrechten kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen. Eine der Schwachstellen erfordert Benutzerinteraktion, um erfolgreich ausgenutzt zu werden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037338",
          "T037339"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2023-34974"
    },
    {
      "cve": "CVE-2023-34979",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in QNAP NAS QTS und QuTS hero. Diese Fehler sind auf eine OS-Befehlsinjektionsschwachstelle zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer mit Benutzer- oder Administratorrechten kann diese Schwachstellen zur Ausf\u00fchrung von beliebigem Code ausnutzen. Eine der Schwachstellen erfordert Benutzerinteraktion, um erfolgreich ausgenutzt zu werden."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037338",
          "T037339"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2023-34979"
    },
    {
      "cve": "CVE-2023-39298",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in QNAP NAS QTS und QuTS hero aufgrund einer fehlenden Autorisierung. Ein lokaler Angreifer mit Benutzerzugriff kann diese Schwachstelle ausnutzen, um die Autorisierung zu umgehen und auf Daten zuzugreifen oder Aktionen ohne die entsprechenden Berechtigungen durchzuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037340",
          "T037341"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2023-39298"
    },
    {
      "cve": "CVE-2023-39300",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in QNAP NAS QTS. Dieser Fehler besteht aufgrund einer unzureichenden Eingabevalidierung, was zu einer OS-Befehlsinjektionsschwachstelle f\u00fchrt. Ein entfernter authentifizierter Angreifer mit administrativen Rechten kann diese Schwachstelle ausnutzen, um beliebigen Code auf dem Betriebssystem auszuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037334",
          "T037335",
          "T037336",
          "T037337"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2023-39300"
    },
    {
      "cve": "CVE-2024-21906",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in QNAP NAS QTS und QuTS hero. Dieser Fehler besteht aufgrund einer OS-Befehlsinjektionsschwachstelle. Ein entfernter Angreifer mit administrativen Rechten kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037342",
          "T037343"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2024-21906"
    },
    {
      "cve": "CVE-2024-32763",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in QNAP NAS QTS und QuTS hero. Diese Sicherheitsl\u00fccke besteht aufgrund einer unsachgem\u00e4\u00dfen \u00dcberpr\u00fcfung der Eingabegr\u00f6\u00dfe w\u00e4hrend Buffer-Copy-Operationen, was zu einem \u201ebuffer overflow\u201c f\u00fchrt. Ein entfernter, authentisierter Angreifer mit Benutzerrechten kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037342",
          "T037343"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2024-32763"
    },
    {
      "cve": "CVE-2024-32771",
      "notes": [
        {
          "category": "description",
          "text": "Es gibt eine Schwachstelle in QNAP NAS QTS und QuTS. Diese Sicherheitsl\u00fccke besteht aufgrund einer unsachgem\u00e4\u00dfen Beschr\u00e4nkung \u00fcberm\u00e4\u00dfiger Authentifizierungsversuche, die eine unbegrenzte Anzahl von Anmeldeversuchen mit Brute Force erm\u00f6glicht. Ein Angreifer aus einem benachbarten Netzwerk mit administrativen Rechten kann diese Schwachstelle ausnutzen, um die Authentifizierung zu umgehen und erweiterte Rechte zu erlangen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037340",
          "T037341"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2024-32771"
    },
    {
      "cve": "CVE-2024-38641",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in QNAP NAS QTS und QuTS hero. Dieser Fehler besteht aufgrund einer OS-Befehlsinjektionsschwachstelle. Ein lokaler Angreifer mit Benutzerrechten kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037342",
          "T037343"
        ]
      },
      "release_date": "2024-09-08T22:00:00.000+00:00",
      "title": "CVE-2024-38641"
    }
  ]
}

cve-2023-34979

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:22

Severity ?

6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-32

Impacted products

Vendor

Product

Version

▼

Version: 4.5.x < 4.5.4.2790 build 20240605

Version: h4.5.x < h4.5.4.2790 build 20240606

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:21:56.880025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:22:05.522Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "4.5.4.2790 build 20240605",
              "status": "affected",
              "version": "4.5.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h4.5.4.2790 build 20240606",
              "status": "affected",
              "version": "h4.5.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tyaoo\u30010x14"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2790 build 20240605 and later\u003cbr\u003eQuTS hero h4.5.4.2790 build 20240606 and later\u003cbr\u003e"
            }
          ],
          "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2790 build 20240605 and later\nQuTS hero h4.5.4.2790 build 20240606 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:31.562Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-32"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2790 build 20240605 and later\u003cbr\u003eQuTS hero h4.5.4.2790 build 20240606 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2790 build 20240605 and later\nQuTS hero h4.5.4.2790 build 20240606 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-32",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2023-34979",
    "datePublished": "2024-09-06T16:27:31.562Z",
    "dateReserved": "2023-06-08T08:26:04.295Z",
    "dateUpdated": "2024-09-06T17:22:05.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-39298

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:43

Severity ?

7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-28

Impacted products

Vendor

Product

Version

▼

Version: 5.1.x < 5.2.0.2737 build 20240417

	QNAP Systems Inc.	QuTS hero	Version: h5.1.x < h5.2.0.2782 build 20240601
	QNAP Systems Inc.	QuTScloud	Patch: c5.0.x

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "qts",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "5.2.0.2737",
                "status": "affected",
                "version": "5.1.x",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "5.0.x"
              },
              {
                "status": "affected",
                "version": "4.5.x"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "quts_hero",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "h5.2.0.2782",
                "status": "affected",
                "version": "h5.1.x",
                "versionType": "custom"
              },
              {
                "status": "affected",
                "version": "h5.0.x"
              },
              {
                "status": "affected",
                "version": "h4.5.x"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:qnap:qutscloud:c5.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "qutscloud",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "h5.2.0.2782",
                "status": "affected",
                "version": "c5.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39298",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:32:06.687426Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:43:57.324Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "5.2.0.2737 build 20240417",
              "status": "affected",
              "version": "5.1.x",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "5.0.x"
            },
            {
              "status": "unaffected",
              "version": "4.5.x"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h5.2.0.2782 build 20240601",
              "status": "affected",
              "version": "h5.1.x",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "h5.0.x"
            },
            {
              "status": "unaffected",
              "version": "h4.5.x"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTScloud",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h5.2.0.2782 build 20240601",
              "status": "unaffected",
              "version": "c5.0.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "chumen77"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors.\u003cbr\u003eQuTScloud, is not affected.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.0.2737 build 20240417 and later\u003cbr\u003eQuTS hero h5.2.0.2782 build 20240601 and later\u003cbr\u003e"
            }
          ],
          "value": "A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors.\nQuTScloud, is not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.0.2737 build 20240417 and later\nQuTS hero h5.2.0.2782 build 20240601 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:08.552Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-28"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.0.2737 build 20240417 and later\u003cbr\u003eQuTS hero h5.2.0.2782 build 20240601 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.0.2737 build 20240417 and later\nQuTS hero h5.2.0.2782 build 20240601 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-28",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2023-39298",
    "datePublished": "2024-09-06T16:27:08.552Z",
    "dateReserved": "2023-07-27T06:46:01.476Z",
    "dateUpdated": "2024-09-06T17:43:57.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-32763

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:05

Severity ?

5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-33

Impacted products

Vendor

Product

Version

▼

Version: 5.1.x < 5.1.8.2823 build 20240712

Version: h5.1.x < h5.1.8.2823 build 20240712

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32763",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:05:05.690309Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:05:19.113Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "5.1.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "h5.1.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aliz Hammond of watchTowr"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:41.126Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-33"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-33",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2024-32763",
    "datePublished": "2024-09-06T16:27:41.126Z",
    "dateReserved": "2024-04-18T08:14:16.552Z",
    "dateUpdated": "2024-09-06T17:05:19.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-21906

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:06

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-33

Impacted products

Vendor

Product

Version

▼

Version: 5.1.x < 5.1.8.2823 build 20240712

Version: h5.1.x < h5.1.8.2823 build 20240712

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:06:13.888968Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:06:25.449Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "5.1.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "h5.1.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "iothacker_dreamer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:36.257Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-33"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-33",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2024-21906",
    "datePublished": "2024-09-06T16:27:36.257Z",
    "dateReserved": "2024-01-03T02:31:17.845Z",
    "dateUpdated": "2024-09-06T17:06:25.449Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-34974

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:41

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

QTS, QuTS hero, QuTScloud, QVR, QES

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-32

Impacted products

Vendor

Product

Version

▼

Version: 4.5.x < 4.5.4.2790 build 20240605

QNAP Systems Inc.	QuTS hero	Version: h4.5.x < h4.5.4.2626 build 20231225
QNAP Systems Inc.	QuTScloud
QNAP Systems Inc.	QVR
QNAP Systems Inc.	QES

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "qts",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "4.5.4.2790_build_20240605",
                "status": "affected",
                "version": "4.5.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "quts_hero",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "h4.5.4.2626_build_20231225",
                "status": "affected",
                "version": "h4.5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34974",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:22:28.665908Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:41:58.365Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "4.5.4.2790 build 20240605",
              "status": "affected",
              "version": "4.5.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h4.5.4.2626 build 20231225",
              "status": "affected",
              "version": "h4.5.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTScloud",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "c5.x.x"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QVR",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "5.1.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QES",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "huasheng_mangguo"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\u003cbr\u003eQuTScloud, QVR, QES are not affected.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2790 build 20240605 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003e"
            }
          ],
          "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\nQuTScloud, QVR, QES are not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2790 build 20240605 and later\nQuTS hero h4.5.4.2626 build 20231225 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:27.244Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-32"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2790 build 20240605 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2790 build 20240605 and later\nQuTS hero h4.5.4.2626 build 20231225 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-32",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero, QuTScloud, QVR, QES",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2023-34974",
    "datePublished": "2024-09-06T16:27:27.244Z",
    "dateReserved": "2023-06-08T08:26:04.294Z",
    "dateUpdated": "2024-09-06T17:41:58.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-39300

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:44

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

QTS

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-26

Impacted products

Vendor

Product

Version

▼

Version: 4.3.6   < 4.3.6.2805 build 20240619
Version: 4.3.4   < 4.3.4.2814 build 20240618
Version: 4.3.3   < 4.3.3.2784 build 20240619
Version: 4.2.6   < 4.2.6 build 20240618

	QNAP Systems Inc.	QTS
	QNAP Systems Inc.	QuTS hero
	QNAP Systems Inc.	QuTScloud

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "qts",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "4.3.6.2805_build_20240619",
                "status": "affected",
                "version": "4.3.6",
                "versionType": "custom"
              },
              {
                "lessThan": "4.3.4.2814_build_20240618",
                "status": "affected",
                "version": "4.3.4",
                "versionType": "custom"
              },
              {
                "lessThan": "4.3.3.2784_build_20240619",
                "status": "affected",
                "version": "4.3.3",
                "versionType": "custom"
              },
              {
                "lessThan": "4.2.6_build_20240618",
                "status": "affected",
                "version": "4.2.6",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39300",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:35:15.918021Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:44:00.200Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "4.3.6.2805 build 20240619",
              "status": "affected",
              "version": "4.3.6",
              "versionType": "custom"
            },
            {
              "lessThan": "4.3.4.2814 build 20240618",
              "status": "affected",
              "version": "4.3.4",
              "versionType": "custom"
            },
            {
              "lessThan": "4.3.3.2784 build 20240619",
              "status": "affected",
              "version": "4.3.3",
              "versionType": "custom"
            },
            {
              "lessThan": "4.2.6 build 20240618",
              "status": "affected",
              "version": "4.2.6",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "5.x"
            },
            {
              "status": "unaffected",
              "version": "4.5.x"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "h5.x"
            },
            {
              "status": "unaffected",
              "version": "h4.5.x"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTScloud",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "status": "unaffected",
              "version": "c5.x"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Arseniy Sharoglazov"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.3.6.2805 build 20240619 and later\u003cbr\u003eQTS 4.3.4.2814 build 20240618 and later\u003cbr\u003eQTS 4.3.3.2784 build 20240619 and later\u003cbr\u003eQTS 4.2.6 build 20240618 and later\u003cbr\u003e"
            }
          ],
          "value": "An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.3.6.2805 build 20240619 and later\nQTS 4.3.4.2814 build 20240618 and later\nQTS 4.3.3.2784 build 20240619 and later\nQTS 4.2.6 build 20240618 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:04.275Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-26"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.3.6.2805 build 20240619 and later\u003cbr\u003eQTS 4.3.4.2814 build 20240618 and later\u003cbr\u003eQTS 4.3.3.2784 build 20240619 and later\u003cbr\u003eQTS 4.2.6 build 20240618 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 4.3.6.2805 build 20240619 and later\nQTS 4.3.4.2814 build 20240618 and later\nQTS 4.3.3.2784 build 20240619 and later\nQTS 4.2.6 build 20240618 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-26",
        "discovery": "EXTERNAL"
      },
      "title": "QTS",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2023-39300",
    "datePublished": "2024-09-06T16:27:04.275Z",
    "dateReserved": "2023-07-27T06:46:01.477Z",
    "dateUpdated": "2024-09-06T17:44:00.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38641

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:04

Severity ?

7.3 (High) - CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-33

Impacted products

Vendor

Product

Version

▼

Version: 5.1.x < 5.1.8.2823 build 20240712

Version: h5.1.x < h5.1.8.2823 build 20240712

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:qnap:quts_hero:h5.1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "quts_hero",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "h5.1.8.2823",
                "status": "affected",
                "version": "h5.1.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:qnap:qts:5.1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "qts",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "5.1.8.2823",
                "status": "affected",
                "version": "5.1.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38641",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-06T17:02:19.665987Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-06T17:04:38.717Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QTS",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "5.1.x",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QuTS hero",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "h5.1.8.2823 build 20240712",
              "status": "affected",
              "version": "h5.1.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Team Viettel in Matrix Cup 2024"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-06T16:27:46.814Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-33"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-33",
        "discovery": "EXTERNAL"
      },
      "title": "QTS, QuTS hero",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2024-38641",
    "datePublished": "2024-09-06T16:27:46.814Z",
    "dateReserved": "2024-06-19T00:17:01.279Z",
    "dateUpdated": "2024-09-06T17:04:38.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-32771

Vulnerability from cvelistv5

Published

2024-09-06 16:27

Modified

2024-09-06 17:33

Severity ?

2.6 (Low) - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Summary

QTS, QuTS hero

References

▼	URL	Tags
	https://www.qnap.com/en/security-advisory/qsa-24-28

Impacted products

Vendor

Product

Version

▼

Version: 5.1.x < 5.2.0.2782 build 20240601

	QNAP Systems Inc.	QuTS hero	Version: h5.1.x < h5.2.0.2782 build 20240601
	QNAP Systems Inc.	QuTScloud

Show details on NVD website