CVE-2023-39301

Published: Nov 3, 2023Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read application data via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.1.2491 build 20230815 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.1.2488 build 20230812 and later QuTScloud c5.1.0.2498 and later

Affected (5)

Products: Qnap: Qts, Quts Hero, Qutscloud

3 products

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Before 5.1.1.2491

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Before 5.0.1.2514

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Before h5.1.1.2488

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Before h5.0.1.2515

Configuration E

1 vulnerable

Vulnerable Software	Affected Versions
Qnap Qutscloud	Before c5.1.0.2498

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://www.qnap.com/en/security-advisory/qsa-23-51

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-23-51

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.