CVE-2024-21903

Published: Sep 6, 2024Modified: Sep 11, 2024

4.7

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Exploitability: 1.2 / Impact: 3.4

Source: NVD

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Affected (21)

Products: Qnap: Qts, Quts Hero

Qnap

2 products

Qts

Quts Hero

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 5.1.0.2348 build_20230325
Qnap Qts	Version 5.1.0.2399 build_20230515
Qnap Qts	Version 5.1.0.2418 build_20230603
Qnap Qts	Version 5.1.0.2444 build_20230629
Qnap Qts	Version 5.1.0.2466 build_20230721
Qnap Qts	Version 5.1.1.2491 build_20230815
Qnap Qts	Version 5.1.2.2533 build_20230926
Qnap Qts	Version 5.1.3.2578 build_20231110
Qnap Qts	Version 5.1.4.2596 build_20231128
Qnap Qts	Version 5.1.5.2645 build_20240116
Qnap Qts	Version 5.1.5.2679 build_20240219

Configuration B

10 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Version h5.1.0.2409 build_20230525
Qnap Quts Hero	Version h5.1.0.2424 build_20230609
Qnap Quts Hero	Version h5.1.0.2453 build_20230708
Qnap Quts Hero	Version h5.1.0.2466 build_20230721
Qnap Quts Hero	Version h5.1.1.2488 build_20230812
Qnap Quts Hero	Version h5.1.2.2534 build_20230927
Qnap Quts Hero	Version h5.1.3.2578 build_20231110
Qnap Quts Hero	Version h5.1.4.2596 build_20231128
Qnap Quts Hero	Version h5.1.5.2647 build_20240118
Qnap Quts Hero	Version h5.1.5.2680 build_20240220

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

https://www.qnap.com/en/security-advisory/qsa-24-20

Source: security@qnapsecurity.com.tw

Vendor Advisory

Timeline

No history available yet.