9.8

CVE-2023-23368

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2376 build 20230421 and later
QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.1.2376 build 20230421 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version5.0.1 Update-
QnapQts Version5.0.1.2034 Updatebuild_20220515
QnapQts Version5.0.1.2079 Updatebuild_20220629
QnapQts Version5.0.1.2131 Updatebuild_20220820
QnapQts Version5.0.1.2137 Updatebuild_20220826
QnapQts Version5.0.1.2145 Updatebuild_20220903
QnapQts Version5.0.1.2173 Updatebuild_20221001
QnapQts Version5.0.1.2194 Updatebuild_20221022
QnapQts Version5.0.1.2234 Updatebuild_20221201
QnapQts Version5.0.1.2248 Updatebuild_20221215
QnapQts Version5.0.1.2277 Updatebuild_20230112
QnapQts Version5.0.1.2346 Updatebuild_20230322
QnapQts Version4.5.4 Update-
QnapQts Version4.5.4.1715 Updatebuild_20210630
QnapQts Version4.5.4.1723 Updatebuild_20210708
QnapQts Version4.5.4.1741 Updatebuild_20210726
QnapQts Version4.5.4.1787 Updatebuild_20210910
QnapQts Version4.5.4.1800 Updatebuild_20210923
QnapQts Version4.5.4.1892 Updatebuild_20211223
QnapQts Version4.5.4.1931 Updatebuild_20220128
QnapQts Version4.5.4.2012 Updatebuild_20220419
QnapQts Version4.5.4.2117 Updatebuild_20220802
QnapQts Version4.5.4.2280 Updatebuild_20230112
QnapQuts Hero Versionh5.0.1.2045 Updatebuild_20220526
QnapQuts Hero Versionh5.0.1.2192 Updatebuild_20221020
QnapQuts Hero Versionh5.0.1.2248 Updatebuild_20221215
QnapQuts Hero Versionh5.0.1.2269 Updatebuild_20230104
QnapQuts Hero Versionh5.0.1.2277 Updatebuild_20230112
QnapQuts Hero Versionh5.0.1.2348 Updatebuild_20230324
QnapQuts Hero Versionh4.5.4.1771 Updatebuild_20210825
QnapQuts Hero Versionh4.5.4.1800 Updatebuild_20210923
QnapQuts Hero Versionh4.5.4.1813 Updatebuild_20211006
QnapQuts Hero Versionh4.5.4.1848 Updatebuild_20211109
QnapQuts Hero Versionh4.5.4.1892 Updatebuild_20211223
QnapQuts Hero Versionh4.5.4.1951 Updatebuild_20220218
QnapQuts Hero Versionh4.5.4.1971 Updatebuild_20220310
QnapQuts Hero Versionh4.5.4.1991 Updatebuild_20220330
QnapQuts Hero Versionh4.5.4.2052 Updatebuild_20220530
QnapQuts Hero Versionh4.5.4.2138 Updatebuild_20220824
QnapQuts Hero Versionh4.5.4.2217 Updatebuild_20221111
QnapQuts Hero Versionh4.5.4.2272 Updatebuild_20230105
QnapQutscloud Versionc5.0.1.1949 Updatebuild_20220218
QnapQutscloud Versionc5.0.1.1998 Updatebuild_20220408
QnapQutscloud Versionc5.0.1.2044 Updatebuild_20220524
QnapQutscloud Versionc5.0.1.2148 Updatebuild_20220905
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 3.56% 0.873
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.