CVE-2023-23367

EPSS 0.16%
Veröffentlicht 10.11.2023 15:15:08
Zuletzt bearbeitet 21.11.2024 07:46:02
Quelle security@qnapsecurity.com.tw
CVE-Watchlists
Login
Unerledigt
Login

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2376 build 20230421 and later
QuTS hero h5.0.1.2376 build 20230421 and later
QuTScloud c5.1.0.2498 and later

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qnap ≫ Qts Version5.0.0.1716 Updatebuild_20210701

Qnap ≫ Qts Version5.0.0.1785 Updatebuild_20210908

Qnap ≫ Qts Version5.0.0.1808 Updatebuild_20211001

Qnap ≫ Qts Version5.0.0.1828 Updatebuild_20211020

Qnap ≫ Qts Version5.0.0.1837 Updatebuild_20211029

Qnap ≫ Qts Version5.0.0.1850 Updatebuild_20211111

Qnap ≫ Qts Version5.0.0.1853 Updatebuild_20211114

Qnap ≫ Qts Version5.0.0.1858 Updatebuild_20211119

Qnap ≫ Qts Version5.0.0.1870 Updatebuild_20211201

Qnap ≫ Qts Version5.0.1.2034 Updatebuild_20220515

Qnap ≫ Qts Version5.0.1.2079 Updatebuild_20220629

Qnap ≫ Qts Version5.0.1.2131 Updatebuild_20220820

Qnap ≫ Qts Version5.0.1.2137 Updatebuild_20220826

Qnap ≫ Qts Version5.0.1.2145 Updatebuild_20220903

Qnap ≫ Qts Version5.0.1.2173 Updatebuild_20221001

Qnap ≫ Qts Version5.0.1.2194 Updatebuild_20221022

Qnap ≫ Qts Version5.0.1.2234 Updatebuild_20221201

Qnap ≫ Qts Version5.0.1.2248 Updatebuild_20221215

Qnap ≫ Qts Version5.0.1.2277 Updatebuild_20230112

Qnap ≫ Qts Version5.0.1.2346 Updatebuild_20230322

Qnap ≫ Quts Hero Versionh5.0.0.1772 Updatebuild_20210826

Qnap ≫ Quts Hero Versionh5.0.0.1844 Updatebuild_20211105

Qnap ≫ Quts Hero Versionh5.0.0.1856 Updatebuild_20211117

Qnap ≫ Quts Hero Versionh5.0.0.1892 Updatebuild_20211222

Qnap ≫ Quts Hero Versionh5.0.0.1900 Updatebuild_20211228

Qnap ≫ Quts Hero Versionh5.0.0.1949 Updatebuild_20220215

Qnap ≫ Quts Hero Versionh5.0.0.1986 Updatebuild_20220324

Qnap ≫ Quts Hero Versionh5.0.0.2022 Updatebuild_20220428

Qnap ≫ Quts Hero Versionh5.0.0.2069 Updatebuild_20220614

Qnap ≫ Quts Hero Versionh5.0.0.2120 Updatebuild_20220804

Qnap ≫ Quts Hero Versionh5.0.1.2045 Updatebuild_20220526

Qnap ≫ Quts Hero Versionh5.0.1.2192 Updatebuild_20221020

Qnap ≫ Quts Hero Versionh5.0.1.2248 Updatebuild_20221215

Qnap ≫ Quts Hero Versionh5.0.1.2269 Updatebuild_20230104

Qnap ≫ Quts Hero Versionh5.0.1.2277 Updatebuild_20230112

Qnap ≫ Quts Hero Versionh5.0.1.2348 Updatebuild_20230324

Qnap ≫ Qutscloud Versionc5.0.0.1919 Updatebuild_20220119

Qnap ≫ Qutscloud Versionc5.0.1.1949 Updatebuild_20220218

Qnap ≫ Qutscloud Versionc5.0.1.1998 Updatebuild_20220408

Qnap ≫ Qutscloud Versionc5.0.1.2044 Updatebuild_20220524

Qnap ≫ Qutscloud Versionc5.0.1.2148 Updatebuild_20220905

Qnap ≫ Qutscloud Versionc5.0.1.2374 Updatebuild_20230419

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.378

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw	4.7	1.2	3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.qnap.com/en/security-advisory/qsa-23-24

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-23367

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-23367

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-23367

EUVD