CVE-2021-28805

EPSS 0.11%
Published 11.06.2021 07:15:06
Last modified 21.11.2024 06:00:14
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qss Version < 1.0.3

   Qnap ≫ Qsw-m2108-2c Version-
   Qnap ≫ Qsw-m2108-2s Version-
   Qnap ≫ Qsw-m2108r-2c Version-

Qnap ≫ Qss Version < 1.0.12

Qnap ≫ Qsw-m408 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.269

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N
security@qnapsecurity.com.tw	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-540 Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

https://www.qnap.com/zh-tw/security-advisory/qsa-21-24

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-28805

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28805

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28805

EUVD