CVE-2023-34974

EPSS 0.15%
Published 06.09.2024 17:15:11
Last modified 13.09.2024 21:14:11
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
QuTScloud, QVR, QES are not affected.

We have already fixed the vulnerability in the following versions:
QTS 4.5.4.2790 build 20240605 and later
QuTS hero h4.5.4.2626 build 20231225 and later

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version4.5.4.1715 Updatebuild_20210630

Qnap ≫ Qts Version4.5.4.1723 Updatebuild_20210708

Qnap ≫ Qts Version4.5.4.1741 Updatebuild_20210726

Qnap ≫ Qts Version4.5.4.1787 Updatebuild_20210910

Qnap ≫ Qts Version4.5.4.1800 Updatebuild_20210923

Qnap ≫ Qts Version4.5.4.1892 Updatebuild_20211223

Qnap ≫ Qts Version4.5.4.1931 Updatebuild_20220128

Qnap ≫ Qts Version4.5.4.2012 Updatebuild_20220419

Qnap ≫ Qts Version4.5.4.2117 Updatebuild_20220802

Qnap ≫ Qts Version4.5.4.2280 Updatebuild_20230112

Qnap ≫ Qts Version4.5.4.2374 Updatebuild_20230416

Qnap ≫ Qts Version4.5.4.2467 Updatebuild_20230718

Qnap ≫ Qts Version4.5.4.2627 Updatebuild_20231225

Qnap ≫ Quts Hero Versionh4.5.4.1771 Updatebuild_20210825

Qnap ≫ Quts Hero Versionh4.5.4.1800 Updatebuild_20210923

Qnap ≫ Quts Hero Versionh4.5.4.1813 Updatebuild_20211006

Qnap ≫ Quts Hero Versionh4.5.4.1848 Updatebuild_20211109

Qnap ≫ Quts Hero Versionh4.5.4.1892 Updatebuild_20211223

Qnap ≫ Quts Hero Versionh4.5.4.1951 Updatebuild_20220218

Qnap ≫ Quts Hero Versionh4.5.4.1971 Updatebuild_20220310

Qnap ≫ Quts Hero Versionh4.5.4.1991 Updatebuild_20220330

Qnap ≫ Quts Hero Versionh4.5.4.2052 Updatebuild_20220530

Qnap ≫ Quts Hero Versionh4.5.4.2138 Updatebuild_20220824

Qnap ≫ Quts Hero Versionh4.5.4.2217 Updatebuild_20221111

Qnap ≫ Quts Hero Versionh4.5.4.2272 Updatebuild_20230105

Qnap ≫ Quts Hero Versionh4.5.4.2374 Updatebuild_20230417

Qnap ≫ Quts Hero Versionh4.5.4.2476 Updatebuild_20230728

Qnap ≫ Quts Hero Versionh4.5.4.2626 Updatebuild_20231225

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.362

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.qnap.com/en/security-advisory/qsa-24-32

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-34974

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-34974

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-34974

EUVD