CVE-2023-32974

EPSS 0.22%
Published 13.10.2023 20:15:10
Last modified 21.11.2024 08:04:19
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.1.0.2444 build 20230629 and later
QuTS hero h5.1.0.2424 build 20230609 and later
QuTScloud c5.1.0.2498 and later

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version >= 5.1.0 < 5.1.0.2444

Qnap ≫ Quts Hero Version >= h5.1.0 < h5.1.0.2424

Qnap ≫ Qutscloud Version >= c5.0.0.1919 < c5.1.0.2498

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.22%	0.45

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@qnapsecurity.com.tw	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.qnap.com/en/security-advisory/qsa-23-42

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32974

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32974

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32974

EUVD