CVE-2023-34974

Severity CVSS v4.0:

Pending analysis

Type:

CWE-78 OS Command Injections

Publication date:

06/09/2024

Last modified:

13/09/2024

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. QuTScloud, QVR, QES are not affected. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2626 build 20231225 and later

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

8.80

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:qnap:qts:4.5.4.1715:build_20210630::::::
cpe:2.3:o:qnap:qts:4.5.4.1723:build_20210708::::::
cpe:2.3:o:qnap:qts:4.5.4.1741:build_20210726::::::
cpe:2.3:o:qnap:qts:4.5.4.1787:build_20210910::::::
cpe:2.3:o:qnap:qts:4.5.4.1800:build_20210923::::::
cpe:2.3:o:qnap:qts:4.5.4.1892:build_20211223::::::
cpe:2.3:o:qnap:qts:4.5.4.1931:build_20220128::::::
cpe:2.3:o:qnap:qts:4.5.4.2012:build_20220419::::::
cpe:2.3:o:qnap:qts:4.5.4.2117:build_20220802::::::
cpe:2.3:o:qnap:qts:4.5.4.2280:build_20230112::::::
cpe:2.3:o:qnap:qts:4.5.4.2374:build_20230416::::::
cpe:2.3:o:qnap:qts:4.5.4.2467:build_20230718::::::
cpe:2.3:o:qnap:qts:4.5.4.2627:build_20231225::::::
cpe:2.3:o:qnap:quts_hero:h4.5.4.1771:build_20210825::::::
cpe:2.3:o:qnap:quts_hero:h4.5.4.1800:build_20210923::::::

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://www.qnap.com/en/security-advisory/qsa-24-32

CPE	From	Up to
cpe:2.3:o:qnap:qts:4.5.4.1715:build_20210630::::::
cpe:2.3:o:qnap:qts:4.5.4.1723:build_20210708::::::
cpe:2.3:o:qnap:qts:4.5.4.1741:build_20210726::::::
cpe:2.3:o:qnap:qts:4.5.4.1787:build_20210910::::::
cpe:2.3:o:qnap:qts:4.5.4.1800:build_20210923::::::
cpe:2.3:o:qnap:qts:4.5.4.1892:build_20211223::::::
cpe:2.3:o:qnap:qts:4.5.4.1931:build_20220128::::::
cpe:2.3:o:qnap:qts:4.5.4.2012:build_20220419::::::
cpe:2.3:o:qnap:qts:4.5.4.2117:build_20220802::::::
cpe:2.3:o:qnap:qts:4.5.4.2280:build_20230112::::::
cpe:2.3:o:qnap:qts:4.5.4.2374:build_20230416::::::
cpe:2.3:o:qnap:qts:4.5.4.2467:build_20230718::::::
cpe:2.3:o:qnap:qts:4.5.4.2627:build_20231225::::::
cpe:2.3:o:qnap:quts_hero:h4.5.4.1771:build_20210825::::::
cpe:2.3:o:qnap:quts_hero:h4.5.4.1800:build_20210923::::::