CVE-2023-23367

Published: Nov 10, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later

Affected (42)

Products: Qnap: Qts, Quts Hero, Qutscloud

3 products

Configuration A

20 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 5.0.0.1716 build_20210701
Qnap Qts	Version 5.0.0.1785 build_20210908
Qnap Qts	Version 5.0.0.1808 build_20211001
Qnap Qts	Version 5.0.0.1828 build_20211020
Qnap Qts	Version 5.0.0.1837 build_20211029
Qnap Qts	Version 5.0.0.1850 build_20211111
Qnap Qts	Version 5.0.0.1853 build_20211114
Qnap Qts	Version 5.0.0.1858 build_20211119
Qnap Qts	Version 5.0.0.1870 build_20211201
Qnap Qts	Version 5.0.1.2034 build_20220515
Qnap Qts	Version 5.0.1.2079 build_20220629
Qnap Qts	Version 5.0.1.2131 build_20220820
Qnap Qts	Version 5.0.1.2137 build_20220826
Qnap Qts	Version 5.0.1.2145 build_20220903
Qnap Qts	Version 5.0.1.2173 build_20221001
Qnap Qts	Version 5.0.1.2194 build_20221022
Qnap Qts	Version 5.0.1.2234 build_20221201
Qnap Qts	Version 5.0.1.2248 build_20221215
Qnap Qts	Version 5.0.1.2277 build_20230112
Qnap Qts	Version 5.0.1.2346 build_20230322

Configuration B

16 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Version h5.0.0.1772 build_20210826
Qnap Quts Hero	Version h5.0.0.1844 build_20211105
Qnap Quts Hero	Version h5.0.0.1856 build_20211117
Qnap Quts Hero	Version h5.0.0.1892 build_20211222
Qnap Quts Hero	Version h5.0.0.1900 build_20211228
Qnap Quts Hero	Version h5.0.0.1949 build_20220215
Qnap Quts Hero	Version h5.0.0.1986 build_20220324
Qnap Quts Hero	Version h5.0.0.2022 build_20220428
Qnap Quts Hero	Version h5.0.0.2069 build_20220614
Qnap Quts Hero	Version h5.0.0.2120 build_20220804
Qnap Quts Hero	Version h5.0.1.2045 build_20220526
Qnap Quts Hero	Version h5.0.1.2192 build_20221020
Qnap Quts Hero	Version h5.0.1.2248 build_20221215
Qnap Quts Hero	Version h5.0.1.2269 build_20230104
Qnap Quts Hero	Version h5.0.1.2277 build_20230112
Qnap Quts Hero	Version h5.0.1.2348 build_20230324

Configuration C

6 vulnerable

Vulnerable Software	Affected Versions
Qnap Qutscloud	Version c5.0.0.1919 build_20220119
Qnap Qutscloud	Version c5.0.1.1949 build_20220218
Qnap Qutscloud	Version c5.0.1.1998 build_20220408
Qnap Qutscloud	Version c5.0.1.2044 build_20220524
Qnap Qutscloud	Version c5.0.1.2148 build_20220905
Qnap Qutscloud	Version c5.0.1.2374 build_20230419

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://www.qnap.com/en/security-advisory/qsa-23-24

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-23-24

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.