Today > vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-21906

Sept. 20, 2024, 4:49 p.m.

CVSS Score

4.7 / 10

Products Impacted

Vendor Product Versions
qnap
  • qts
  • quts_hero
  • 5.1.0.2348, 5.1.0.2399, 5.1.0.2418, 5.1.0.2444, 5.1.0.2466, 5.1.1.2491, 5.1.2.2533, 5.1.3.2578, 5.1.4.2596, 5.1.5.2645, 5.1.5.2679, 5.1.6.2722, 5.1.7.2770
  • h5.1.0.2409, h5.1.0.2424, h5.1.0.2453, h5.1.0.2466, h5.1.1.2488, h5.1.2.2534, h5.1.3.2578, h5.1.4.2596, h5.1.5.2647, h5.1.5.2680, h5.1.6.2734, h5.1.7.2770, h5.1.7.2788, h5.1.7.2794

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE ID: 78

Date

Published: Sept. 6, 2024, 5:15 p.m.

Last Modified: Sept. 20, 2024, 4:49 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@qnapsecurity.com.tw

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o qnap qts 5.1.0.2348 build_20230325 / / / / / /
o qnap qts 5.1.0.2399 build_20230515 / / / / / /
o qnap qts 5.1.0.2418 build_20230603 / / / / / /
o qnap qts 5.1.0.2444 build_20230629 / / / / / /
o qnap qts 5.1.0.2466 build_20230721 / / / / / /
o qnap qts 5.1.1.2491 build_20230815 / / / / / /
o qnap qts 5.1.2.2533 build_20230926 / / / / / /
o qnap qts 5.1.3.2578 build_20231110 / / / / / /
o qnap qts 5.1.4.2596 build_20231128 / / / / / /
o qnap qts 5.1.5.2645 build_20240116 / / / / / /
o qnap qts 5.1.5.2679 build_20240219 / / / / / /
o qnap qts 5.1.6.2722 build_20240402 / / / / / /
o qnap qts 5.1.7.2770 build_20240520 / / / / / /
o qnap quts_hero h5.1.0.2409 build_20230525 / / / / / /
o qnap quts_hero h5.1.0.2424 build_20230609 / / / / / /
o qnap quts_hero h5.1.0.2453 build_20230708 / / / / / /
o qnap quts_hero h5.1.0.2466 build_20230721 / / / / / /
o qnap quts_hero h5.1.1.2488 build_20230812 / / / / / /
o qnap quts_hero h5.1.2.2534 build_20230927 / / / / / /
o qnap quts_hero h5.1.3.2578 build_20231110 / / / / / /
o qnap quts_hero h5.1.4.2596 build_20231128 / / / / / /
o qnap quts_hero h5.1.5.2647 build_20240118 / / / / / /
o qnap quts_hero h5.1.5.2680 build_20240220 / / / / / /
o qnap quts_hero h5.1.6.2734 build_20240414 / / / / / /
o qnap quts_hero h5.1.7.2770 build_20240520 / / / / / /
o qnap quts_hero h5.1.7.2788 build_20240607 / / / / / /
o qnap quts_hero h5.1.7.2794 build_20240613 / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

Base Score
4.7
Exploitability Score
1.2
Impact Score
3.4
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References

https://www.qnap.com/ security@qnapsecurity.com.tw