9.8

CVE-2020-2509

Warning

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version < 4.2.6
QnapQts Version >= 4.3.5 < 4.3.6
QnapQts Version >= 4.4.0 < 4.5.1
QnapQts Version4.2.6 Update-
QnapQts Version4.2.6 Updatebuild_20170517
QnapQts Version4.2.6 Updatebuild_20190322
QnapQts Version4.2.6 Updatebuild_20190730
QnapQts Version4.2.6 Updatebuild_20190921
QnapQts Version4.2.6 Updatebuild_20191107
QnapQts Version4.2.6 Updatebuild_20200109
QnapQts Version4.2.6 Updatebuild_20200421
QnapQts Version4.2.6 Updatebuild_20200611
QnapQts Version4.2.6 Updatebuild_20200821
QnapQts Version4.3.3.0174
QnapQts Version4.3.3.0868
QnapQts Version4.3.3.0998
QnapQts Version4.3.3.1051
QnapQts Version4.3.3.1098
QnapQts Version4.3.3.1161
QnapQts Version4.3.3.1252
QnapQts Version4.3.3.1315
QnapQts Version4.3.3.1386
QnapQts Version4.3.3.1432
QnapQts Version4.3.4.0358
QnapQts Version4.3.4.0358 Updatebeta1
QnapQts Version4.3.4.0370
QnapQts Version4.3.4.0370 Updatebeta1
QnapQts Version4.3.4.0372
QnapQts Version4.3.4.0372 Updatebeta1
QnapQts Version4.3.4.0374
QnapQts Version4.3.4.0374 Updatebeta1
QnapQts Version4.3.4.0387
QnapQts Version4.3.4.0387 Updatebeta2
QnapQts Version4.3.4.0411
QnapQts Version4.3.4.0416
QnapQts Version4.3.4.0427
QnapQts Version4.3.4.0434
QnapQts Version4.3.4.0435
QnapQts Version4.3.4.0451
QnapQts Version4.3.4.0483
QnapQts Version4.3.4.0486
QnapQts Version4.3.4.0506
QnapQts Version4.3.4.0516
QnapQts Version4.3.4.0526
QnapQts Version4.3.4.0551
QnapQts Version4.3.4.0557
QnapQts Version4.3.4.0561
QnapQts Version4.3.4.0569
QnapQts Version4.3.4.0593
QnapQts Version4.3.4.0597
QnapQts Version4.3.4.0604
QnapQts Version4.3.4.0899
QnapQts Version4.3.4.1029
QnapQts Version4.3.4.1082
QnapQts Version4.3.4.1190
QnapQts Version4.3.4.1282
QnapQts Version4.3.4.1368
QnapQts Version4.3.4.1417
QnapQts Version4.3.4.1463
QnapQts Version4.3.6 Update-
QnapQts Version4.3.6.0895
QnapQts Version4.3.6.0907
QnapQts Version4.3.6.0923
QnapQts Version4.3.6.0944
QnapQts Version4.3.6.0959
QnapQts Version4.3.6.0979
QnapQts Version4.3.6.0993
QnapQts Version4.3.6.1013
QnapQts Version4.3.6.1033
QnapQts Version4.3.6.1070
QnapQts Version4.3.6.1154
QnapQts Version4.3.6.1218
QnapQts Version4.3.6.1263
QnapQts Version4.3.6.1286
QnapQts Version4.3.6.1333
QnapQts Version4.3.6.1411
QnapQts Version4.3.6.1446
QnapQts Version4.5.1 Update-
QnapQts Version4.5.1.1456
QnapQts Version4.5.1.1461
QnapQts Version4.5.1.1465
QnapQts Version4.5.1.1480
QnapQts Version4.5.2 Update-
QnapQuts Hero Version < h4.5.1
QnapQuts Hero Versionh4.5.1 Update-
QnapQuts Hero Versionh4.5.1.1472

11.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

QNAP Network-Attached Storage (NAS) Command Injection Vulnerability

Vulnerability

QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 74.04% 0.988
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.