CVE-2024-21902

Published: May 21, 2024Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Affected (23)

Products: Qnap: Qts, Quts Hero

Qnap

2 products

Qts

Quts Hero

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 5.1.0.2348 build_20230325
Qnap Qts	Version 5.1.0.2399 build_20230515
Qnap Qts	Version 5.1.0.2418 build_20230603
Qnap Qts	Version 5.1.0.2444 build_20230629
Qnap Qts	Version 5.1.0.2466 build_20230721
Qnap Qts	Version 5.1.1.2491 build_20230815
Qnap Qts	Version 5.1.2.2533 build_20230926
Qnap Qts	Version 5.1.3.2578 build_20231110
Qnap Qts	Version 5.1.4.2596 build_20231128
Qnap Qts	Version 5.1.5.2645 build_20240116
Qnap Qts	Version 5.1.5.2679 build_20240219
Qnap Qts	Version 5.1.6.2722 build_20240402

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Version h5.1.0.2409 build_20230525
Qnap Quts Hero	Version h5.1.0.2424 build_20230609
Qnap Quts Hero	Version h5.1.0.2453 build_20230708
Qnap Quts Hero	Version h5.1.0.2466 build_20230721
Qnap Quts Hero	Version h5.1.1.2488 build_20230812
Qnap Quts Hero	Version h5.1.2.2534 build_20230927
Qnap Quts Hero	Version h5.1.3.2578 build_20231110
Qnap Quts Hero	Version h5.1.4.2596 build_20231128
Qnap Quts Hero	Version h5.1.5.2647 build_20240118
Qnap Quts Hero	Version h5.1.5.2680 build_20240220
Qnap Quts Hero	Version h5.1.6.2734 build_20240414

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://www.qnap.com/en/security-advisory/qsa-24-23

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-24-23

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.