CVE-2024-38641

Published: Sep 6, 2024Modified: Sep 16, 2024

7.3

Vector

CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security@qnapsecurity.com.tw (Secondary)

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Affected (27)

Products: Qnap: Qts, Quts Hero

Qnap

2 products

Qts

Quts Hero

Configuration A

13 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 5.1.0.2348 build_20230325
Qnap Qts	Version 5.1.0.2399 build_20230515
Qnap Qts	Version 5.1.0.2418 build_20230603
Qnap Qts	Version 5.1.0.2444 build_20230629
Qnap Qts	Version 5.1.0.2466 build_20230721
Qnap Qts	Version 5.1.1.2491 build_20230815
Qnap Qts	Version 5.1.2.2533 build_20230926
Qnap Qts	Version 5.1.3.2578 build_20231110
Qnap Qts	Version 5.1.4.2596 build_20231128
Qnap Qts	Version 5.1.5.2645 build_20240116
Qnap Qts	Version 5.1.5.2679 build_20240219
Qnap Qts	Version 5.1.6.2722 build_20240402
Qnap Qts	Version 5.1.7.2770 build_20240520

Configuration B

14 vulnerable

Vulnerable Software	Affected Versions
Qnap Quts Hero	Version h5.1.0.2409 build_20230525
Qnap Quts Hero	Version h5.1.0.2424 build_20230609
Qnap Quts Hero	Version h5.1.0.2453 build_20230708
Qnap Quts Hero	Version h5.1.0.2466 build_20230721
Qnap Quts Hero	Version h5.1.1.2488 build_20230812
Qnap Quts Hero	Version h5.1.2.2534 build_20230927
Qnap Quts Hero	Version h5.1.3.2578 build_20231110
Qnap Quts Hero	Version h5.1.4.2596 build_20231128
Qnap Quts Hero	Version h5.1.5.2647 build_20240118
Qnap Quts Hero	Version h5.1.5.2680 build_20240220
Qnap Quts Hero	Version h5.1.6.2734 build_20240414
Qnap Quts Hero	Version h5.1.7.2770 build_20240520
Qnap Quts Hero	Version h5.1.7.2788 build_20240607
Qnap Quts Hero	Version h5.1.7.2794 build_20240613

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (1)

https://www.qnap.com/en/security-advisory/qsa-24-33

Source: security@qnapsecurity.com.tw

Vendor Advisory

Timeline

No history available yet.