CVE-2021-44052

EPSS 0.42%
Published 05.05.2022 17:15:10
Last modified 21.11.2024 06:30:18
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version >= 5.0.0.1716 < 5.0.0.1986

Qnap ≫ Qts Version >= 4.3.3.0174 < 4.3.3.1945

Qnap ≫ Qts Version >= 4.3.4.0899 < 4.3.4.1976

Qnap ≫ Qts Version >= 4.3.6.0895 < 4.3.6.1965

Qnap ≫ Qts Version >= 4.4.0.0883 < 4.5.4.1991

Qnap ≫ Qts Version4.2.6 Updatebuild_20170517

Qnap ≫ Qts Version4.2.6 Updatebuild_20190322

Qnap ≫ Qts Version4.2.6 Updatebuild_20190730

Qnap ≫ Qts Version4.2.6 Updatebuild_20190921

Qnap ≫ Qts Version4.2.6 Updatebuild_20191107

Qnap ≫ Qts Version4.2.6 Updatebuild_20200109

Qnap ≫ Qts Version4.2.6 Updatebuild_20200421

Qnap ≫ Qts Version4.2.6 Updatebuild_20200611

Qnap ≫ Qts Version4.2.6 Updatebuild_20200821

Qnap ≫ Qts Version4.2.6 Updatebuild_20210327

Qnap ≫ Qts Version4.2.6 Updatebuild_20211215

Qnap ≫ Quts Hero Version < h4.5.4.1771

Qnap ≫ Quts Hero Version >= h5.0.0.1772 < h5.0.0.1986

Qnap ≫ Qutscloud Version < c5.0.1.1998

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.42%	0.611

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
security@qnapsecurity.com.tw	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://www.qnap.com/en/security-advisory/qsa-22-16

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-44052

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44052

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44052

EUVD