← Back

CVE-2021-44051

nvd nist
Published: May 5, 2022Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later

Affected (19)

Qnap
3 products
Qts
Quts Hero
Qutscloud
Configuration A
19 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Qts
From 5.0.0.1716 to 5.0.0.1986
Qts
From 4.3.3.0174 to 4.3.3.1945
Qts
From 4.3.4.0899 to 4.3.4.1976
Qts
From 4.3.6.0895 to 4.3.6.1965
Qts
From 4.4.0.0883 to 4.5.4.1991
Qts
Version 4.2.6 build_20170517
Qts
Version 4.2.6 build_20190322
Qts
Version 4.2.6 build_20190730
Qts
Version 4.2.6 build_20190921
Qts
Version 4.2.6 build_20191107
Qts
Version 4.2.6 build_20200109
Qts
Version 4.2.6 build_20200421
Qts
Version 4.2.6 build_20200611
Qts
Version 4.2.6 build_20200821
Qts
Version 4.2.6 build_20210327
Qts
Version 4.2.6 build_20211215
Qnap
Quts Hero
Before h4.5.4.1771
Quts Hero
From h5.0.0.1772 to h5.0.0.1986
Qutscloud
Before c5.0.1.1998

Related CWEs

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

Source: security@qnapsecurity.com.tw
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.