← Back

CVE-2024-21906

nvd nist
Published: Sep 6, 2024Modified: Sep 20, 2024

JSON object

Loading...
4.7
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Exploitability: 1.2 / Impact: 3.4
Source: NVD

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Affected (27)

Products: Qnap: Qts, Quts Hero
Qnap
2 products
Qts
Quts Hero
Configuration A
13 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Qts
Version 5.1.0.2348 build_20230325
Qts
Version 5.1.0.2399 build_20230515
Qts
Version 5.1.0.2418 build_20230603
Qts
Version 5.1.0.2444 build_20230629
Qts
Version 5.1.0.2466 build_20230721
Qts
Version 5.1.1.2491 build_20230815
Qts
Version 5.1.2.2533 build_20230926
Qts
Version 5.1.3.2578 build_20231110
Qts
Version 5.1.4.2596 build_20231128
Qts
Version 5.1.5.2645 build_20240116
Qts
Version 5.1.5.2679 build_20240219
Qts
Version 5.1.6.2722 build_20240402
Qts
Version 5.1.7.2770 build_20240520
Configuration B
14 vulnerable
Vulnerable SoftwareAffected Versions
Qnap
Quts Hero
Version h5.1.0.2409 build_20230525
Quts Hero
Version h5.1.0.2424 build_20230609
Quts Hero
Version h5.1.0.2453 build_20230708
Quts Hero
Version h5.1.0.2466 build_20230721
Quts Hero
Version h5.1.1.2488 build_20230812
Quts Hero
Version h5.1.2.2534 build_20230927
Quts Hero
Version h5.1.3.2578 build_20231110
Quts Hero
Version h5.1.4.2596 build_20231128
Quts Hero
Version h5.1.5.2647 build_20240118
Quts Hero
Version h5.1.5.2680 build_20240220
Quts Hero
Version h5.1.6.2734 build_20240414
Quts Hero
Version h5.1.7.2770 build_20240520
Quts Hero
Version h5.1.7.2788 build_20240607
Quts Hero
Version h5.1.7.2794 build_20240613

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

Source: security@qnapsecurity.com.tw
Vendor Advisory

Timeline

No history available yet.