← Back

CVE-2024-21898

nvd nist
Published: Sep 6, 2024Modified: Sep 11, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Affected (21)

Products: Qnap: Qts, Quts Hero
Qnap
2 products
Qts
Quts Hero
Configuration A
11 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Qts
Version 5.1.0.2348 build_20230325
Qts
Version 5.1.0.2399 build_20230515
Qts
Version 5.1.0.2418 build_20230603
Qts
Version 5.1.0.2444 build_20230629
Qts
Version 5.1.0.2466 build_20230721
Qts
Version 5.1.1.2491 build_20230815
Qts
Version 5.1.2.2533 build_20230926
Qts
Version 5.1.3.2578 build_20231110
Qts
Version 5.1.4.2596 build_20231128
Qts
Version 5.1.5.2645 build_20240116
Qts
Version 5.1.5.2679 build_20240219
Configuration B
10 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Quts Hero
Version h5.1.0.2409 build_20230525
Quts Hero
Version h5.1.0.2424 build_20230609
Quts Hero
Version h5.1.0.2453 build_20230708
Quts Hero
Version h5.1.0.2466 build_20230721
Quts Hero
Version h5.1.1.2488 build_20230812
Quts Hero
Version h5.1.2.2534 build_20230927
Quts Hero
Version h5.1.3.2578 build_20231110
Quts Hero
Version h5.1.4.2596 build_20231128
Quts Hero
Version h5.1.5.2647 build_20240118
Quts Hero
Version h5.1.5.2680 build_20240220

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: security@qnapsecurity.com.tw
Vendor Advisory

Timeline

No history available yet.