CVE-2023-39300

Published: Sep 6, 2024Modified: Sep 24, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later

Affected (79)

Products: Qnap: Qts

Qnap

1 product

Qts

Configuration A

28 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 4.3.6.0895 build_20190328
Qnap Qts	Version 4.3.6.0907 build_20190409
Qnap Qts	Version 4.3.6.0923 build_20190425
Qnap Qts	Version 4.3.6.0944 build_20190516
Qnap Qts	Version 4.3.6.0959 build_20190531
Qnap Qts	Version 4.3.6.0979 build_20190620
Qnap Qts	Version 4.3.6.0993 build_20190704
Qnap Qts	Version 4.3.6.1013 build_20190724
Qnap Qts	Version 4.3.6.1033 build_20190813
Qnap Qts	Version 4.3.6.1070 build_20190919
Qnap Qts	Version 4.3.6.1154 build_20191212
Qnap Qts	Version 4.3.6.1218 build_20200214
Qnap Qts	Version 4.3.6.1263 build_20200330
Qnap Qts	Version 4.3.6.1286 build_20200422
Qnap Qts	Version 4.3.6.1333 build_20200608
Qnap Qts	Version 4.3.6.1411 build_20200825
Qnap Qts	Version 4.3.6.1446 build_20200929
Qnap Qts	Version 4.3.6.1620 build_20210322
Qnap Qts	Version 4.3.6.1663 build_20210504
Qnap Qts	Version 4.3.6.1711 build_20210621
Qnap Qts	Version 4.3.6.1750 build_20210730
Qnap Qts	Version 4.3.6.1831 build_20211019
Qnap Qts	Version 4.3.6.1907 build_20220103
Qnap Qts	Version 4.3.6.1965 build_20220302
Qnap Qts	Version 4.3.6.2050 build_20220526
Qnap Qts	Version 4.3.6.2232 build_20221124
Qnap Qts	Version 4.3.6.2441 build_20230621
Qnap Qts	Version 4.3.6.2665 build_20240131

Configuration B

15 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 4.3.4.0899 build_20190322
Qnap Qts	Version 4.3.4.1029 build_20190730
Qnap Qts	Version 4.3.4.1082 build_20190921
Qnap Qts	Version 4.3.4.1190 build_20200107
Qnap Qts	Version 4.3.4.1282 build_20200408
Qnap Qts	Version 4.3.4.1368 build_20200703
Qnap Qts	Version 4.3.4.1417 build_20200821
Qnap Qts	Version 4.3.4.1463 build_20201006
Qnap Qts	Version 4.3.4.1632 build_20210324
Qnap Qts	Version 4.3.4.1652 build_20210413
Qnap Qts	Version 4.3.4.1976 build_20220303
Qnap Qts	Version 4.3.4.2107 build_20220712
Qnap Qts	Version 4.3.4.2242 build_20221124
Qnap Qts	Version 4.3.4.2451 build_20230621
Qnap Qts	Version 4.3.4.2675 build_20240131

Configuration C

20 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 4.3.3.0174 build_20170503
Qnap Qts	Version 4.3.3.0868 build_20190322
Qnap Qts	Version 4.3.3.0998 build_20190730
Qnap Qts	Version 4.3.3.1051 build_20190921
Qnap Qts	Version 4.3.3.1098 build_20191107
Qnap Qts	Version 4.3.3.1161 build_20200109
Qnap Qts	Version 4.3.3.1252 build_20200409
Qnap Qts	Version 4.3.3.1315 build_20200611
Qnap Qts	Version 4.3.3.1386 build_20200821
Qnap Qts	Version 4.3.3.1432 build_20201006
Qnap Qts	Version 4.3.3.1624 build_20210416
Qnap Qts	Version 4.3.3.1677 build_20210608
Qnap Qts	Version 4.3.3.1693 build_20210624
Qnap Qts	Version 4.3.3.1799 build_20211008
Qnap Qts	Version 4.3.3.1864 build_20211212
Qnap Qts	Version 4.3.3.1945 build_20220303
Qnap Qts	Version 4.3.3.2057 build_20220623
Qnap Qts	Version 4.3.3.2211 build_20221124
Qnap Qts	Version 4.3.3.2420 build_20230621
Qnap Qts	Version 4.3.3.2644 build_20240131

Configuration D

16 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 4.2.6 build_20170517
Qnap Qts	Version 4.2.6 build_20190322
Qnap Qts	Version 4.2.6 build_20190730
Qnap Qts	Version 4.2.6 build_20190921
Qnap Qts	Version 4.2.6 build_20191107
Qnap Qts	Version 4.2.6 build_20200109
Qnap Qts	Version 4.2.6 build_20200421
Qnap Qts	Version 4.2.6 build_20200611
Qnap Qts	Version 4.2.6 build_20200821
Qnap Qts	Version 4.2.6 build_20210327
Qnap Qts	Version 4.2.6 build_20211215
Qnap Qts	Version 4.2.6 build_20220304
Qnap Qts	Version 4.2.6 build_20220623
Qnap Qts	Version 4.2.6 build_20221028
Qnap Qts	Version 4.2.6 build_20230621
Qnap Qts	Version 4.2.6 build_20240131

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

https://www.qnap.com/en/security-advisory/qsa-24-26

Source: security@qnapsecurity.com.tw

Vendor Advisory

Timeline

No history available yet.