7.2

CVE-2023-34979

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 4.5.4.2790 build 20240605 and later
QuTS hero h4.5.4.2790 build 20240606 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version4.5.4.1715 Updatebuild_20210630
QnapQts Version4.5.4.1723 Updatebuild_20210708
QnapQts Version4.5.4.1741 Updatebuild_20210726
QnapQts Version4.5.4.1787 Updatebuild_20210910
QnapQts Version4.5.4.1800 Updatebuild_20210923
QnapQts Version4.5.4.1892 Updatebuild_20211223
QnapQts Version4.5.4.1931 Updatebuild_20220128
QnapQts Version4.5.4.2012 Updatebuild_20220419
QnapQts Version4.5.4.2117 Updatebuild_20220802
QnapQts Version4.5.4.2280 Updatebuild_20230112
QnapQts Version4.5.4.2374 Updatebuild_20230416
QnapQts Version4.5.4.2467 Updatebuild_20230718
QnapQts Version4.5.4.2627 Updatebuild_20231225
QnapQuts Hero Versionh4.5.4.1771 Updatebuild_20210825
QnapQuts Hero Versionh4.5.4.1800 Updatebuild_20210923
QnapQuts Hero Versionh4.5.4.1813 Updatebuild_20211006
QnapQuts Hero Versionh4.5.4.1848 Updatebuild_20211109
QnapQuts Hero Versionh4.5.4.1892 Updatebuild_20211223
QnapQuts Hero Versionh4.5.4.1951 Updatebuild_20220218
QnapQuts Hero Versionh4.5.4.1971 Updatebuild_20220310
QnapQuts Hero Versionh4.5.4.1991 Updatebuild_20220330
QnapQuts Hero Versionh4.5.4.2052 Updatebuild_20220530
QnapQuts Hero Versionh4.5.4.2138 Updatebuild_20220824
QnapQuts Hero Versionh4.5.4.2217 Updatebuild_20221111
QnapQuts Hero Versionh4.5.4.2272 Updatebuild_20230105
QnapQuts Hero Versionh4.5.4.2374 Updatebuild_20230417
QnapQuts Hero Versionh4.5.4.2476 Updatebuild_20230728
QnapQuts Hero Versionh4.5.4.2626 Updatebuild_20231225
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.29% 0.52
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 6.6 2.3 3.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.