← Back

CVE-2020-2509

nvd nist
Published: Apr 17, 2021Modified: Oct 27, 2025CISA KEV

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Affected (86)

Products: Qnap: Qts, Quts Hero
Qnap
2 products
Qts
Quts Hero
Configuration A
86 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Qts
Before 4.2.6
Qts
From 4.3.5 to 4.3.6
Qts
From 4.4.0 to 4.5.1
Qts
Version 4.2.6
Qts
Version 4.2.6 build_20170517
Qts
Version 4.2.6 build_20190322
Qts
Version 4.2.6 build_20190730
Qts
Version 4.2.6 build_20190921
Qts
Version 4.2.6 build_20191107
Qts
Version 4.2.6 build_20200109
Qts
Version 4.2.6 build_20200421
Qts
Version 4.2.6 build_20200611
Qts
Version 4.2.6 build_20200821
Qts
Version 4.3.3.0174
Qts
Version 4.3.3.0868
Qts
Version 4.3.3.0998
Qts
Version 4.3.3.1051
Qts
Version 4.3.3.1098
Qts
Version 4.3.3.1161
Qts
Version 4.3.3.1252
Qts
Version 4.3.3.1315
Qts
Version 4.3.3.1386
Qts
Version 4.3.3.1432
Qts
Version 4.3.4.0358
Qts
Version 4.3.4.0358 beta1
Qts
Version 4.3.4.0370
Qts
Version 4.3.4.0370 beta1
Qts
Version 4.3.4.0372
Qts
Version 4.3.4.0372 beta1
Qts
Version 4.3.4.0374
Qts
Version 4.3.4.0374 beta1
Qts
Version 4.3.4.0387
Qts
Version 4.3.4.0387 beta2
Qts
Version 4.3.4.0411
Qts
Version 4.3.4.0416
Qts
Version 4.3.4.0427
Qts
Version 4.3.4.0434
Qts
Version 4.3.4.0435
Qts
Version 4.3.4.0451
Qts
Version 4.3.4.0483
Qts
Version 4.3.4.0486
Qts
Version 4.3.4.0506
Qts
Version 4.3.4.0516
Qts
Version 4.3.4.0526
Qts
Version 4.3.4.0551
Qts
Version 4.3.4.0557
Qts
Version 4.3.4.0561
Qts
Version 4.3.4.0569
Qts
Version 4.3.4.0593
Qts
Version 4.3.4.0597
Qts
Version 4.3.4.0604
Qts
Version 4.3.4.0899
Qts
Version 4.3.4.1029
Qts
Version 4.3.4.1082
Qts
Version 4.3.4.1190
Qts
Version 4.3.4.1282
Qts
Version 4.3.4.1368
Qts
Version 4.3.4.1417
Qts
Version 4.3.4.1463
Qts
Version 4.3.6.0895
Qts
Version 4.3.6.0907
Qts
Version 4.3.6.0923
Qts
Version 4.3.6.0944
Qts
Version 4.3.6.0959
Qts
Version 4.3.6.0979
Qts
Version 4.3.6.0993
Qts
Version 4.3.6.1013
Qts
Version 4.3.6.1033
Qts
Version 4.3.6.1070
Qts
Version 4.3.6.1154
Qts
Version 4.3.6.1218
Qts
Version 4.3.6.1263
Qts
Version 4.3.6.1286
Qts
Version 4.3.6.1333
Qts
Version 4.3.6.1411
Qts
Version 4.3.6.1446
Qts
Version 4.3.6
Qts
Version 4.5.1.1456
Qts
Version 4.5.1.1461
Qts
Version 4.5.1.1465
Qts
Version 4.5.1.1480
Qts
Version 4.5.1
Qts
Version 4.5.2
Qnap
Quts Hero
Before h4.5.1
Quts Hero
Version h4.5.1.1472
Quts Hero
Version h4.5.1

Related CWEs

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

Source: security@qnapsecurity.com.tw
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.