CVE-2023-39294 | ByteOS Network

Vulnerability Details :

CVE-2023-39294

Assigner-qnap

Assigner Org ID-2fd009eb-170a-4625-932b-17a53af1051f

Published At-05 Jan, 2024 | 16:19

Updated At-04 Sep, 2024 | 19:53

QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:qnap

Assigner Org ID:2fd009eb-170a-4625-932b-17a53af1051f

Published At:05 Jan, 2024 | 16:19

Updated At:04 Sep, 2024 | 19:53

▼CVE Numbering Authority (CNA)

QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Affected Products

Vendor

QNAP Systems, Inc.

Product

Default Status

unaffected

Versions

Affected

From 5.1.x before 5.1.3.2578 build 20231110 (custom)

Vendor

QNAP Systems, Inc.

Product

Default Status

unaffected

Versions

Affected

From h5.1.x before h5.1.3.2578 build 20231110 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-78	CWE-78

Type: CWE

CWE ID: CWE-78

Description: CWE-78

Metrics

Version	Base score	Base severity	Vector
3.1	6.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Version: 3.1

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Impacts

CAPEC ID	Description
CAPEC-88	CAPEC-88

CAPEC ID: CAPEC-88

Description: CAPEC-88

Solutions

We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Credits

finder

rekter0

References

Hyperlink	Resource
https://www.qnap.com/en/security-advisory/qsa-23-54	N/A

Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-54

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://www.qnap.com/en/security-advisory/qsa-23-54	x_transferred

Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-54

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:security@qnapsecurity.com.tw

Published At:05 Jan, 2024 | 17:15

Updated At:11 Jan, 2024 | 17:09

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary	3.1	6.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

Type: Primary

Version: 3.1

Base score: 7.2

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 6.6

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CPE Matches

QNAP Systems, Inc.

>>qts>>5.1.0.2348

cpe:2.3:o:qnap:qts:5.1.0.2348:build_20230325:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.0.2399

cpe:2.3:o:qnap:qts:5.1.0.2399:build_20230515:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.0.2418

cpe:2.3:o:qnap:qts:5.1.0.2418:build_20230603:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.0.2444

cpe:2.3:o:qnap:qts:5.1.0.2444:build_20230629:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.0.2466

cpe:2.3:o:qnap:qts:5.1.0.2466:build_20230721:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.1.2491

cpe:2.3:o:qnap:qts:5.1.1.2491:build_20230815:*:*:*:*:*:*

QNAP Systems, Inc.

>>qts>>5.1.2.2533

cpe:2.3:o:qnap:qts:5.1.2.2533:build_20230926:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.0.2409

cpe:2.3:o:qnap:quts_hero:h5.1.0.2409:build_20230525:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.0.2424

cpe:2.3:o:qnap:quts_hero:h5.1.0.2424:build_20230609:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.0.2453

cpe:2.3:o:qnap:quts_hero:h5.1.0.2453:build_20230708:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.0.2466

cpe:2.3:o:qnap:quts_hero:h5.1.0.2466:build_20230721:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.1.2488

cpe:2.3:o:qnap:quts_hero:h5.1.1.2488:build_20230812:*:*:*:*:*:*

QNAP Systems, Inc.

>>quts_hero>>h5.1.2.2534

cpe:2.3:o:qnap:quts_hero:h5.1.2.2534:build_20230927:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-78	Primary	security@qnapsecurity.com.tw

CWE ID: CWE-78

Type: Primary

Source: security@qnapsecurity.com.tw

References

Hyperlink	Source	Resource
https://www.qnap.com/en/security-advisory/qsa-23-54	security@qnapsecurity.com.tw	Vendor Advisory

Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-54

Source: security@qnapsecurity.com.tw

Resource:

Vendor Advisory