8.8

CVE-2023-39297

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.4.2596 build 20231128 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version4.5.4.1715 Updatebuild_20210630
QnapQts Version4.5.4.1723 Updatebuild_20210708
QnapQts Version4.5.4.1741 Updatebuild_20210726
QnapQts Version4.5.4.1787 Updatebuild_20210910
QnapQts Version4.5.4.1800 Updatebuild_20210923
QnapQts Version4.5.4.1892 Updatebuild_20211223
QnapQts Version4.5.4.1931 Updatebuild_20220128
QnapQts Version4.5.4.2012 Updatebuild_20220419
QnapQts Version4.5.4.2117 Updatebuild_20220802
QnapQts Version4.5.4.2280 Updatebuild_20230112
QnapQts Version4.5.4.2374 Updatebuild_20230416
QnapQts Version4.5.4.2627 Update-
QnapQts Version5.1.0.2348 Updatebuild_20230325
QnapQts Version5.1.0.2399 Updatebuild_20230515
QnapQts Version5.1.0.2418 Updatebuild_20230603
QnapQts Version5.1.0.2444 Updatebuild_20230629
QnapQts Version5.1.0.2466 Updatebuild_20230721
QnapQts Version5.1.1.2491 Updatebuild_20230815
QnapQts Version5.1.2.2533 Updatebuild_20230926
QnapQts Version5.1.3.2578 Updatebuild_20231110
QnapQts Version5.1.4.2596 Update-
QnapQuts Hero Versionh4.5.4.1771 Updatebuild_20210825
QnapQuts Hero Versionh4.5.4.1800 Updatebuild_20210923
QnapQuts Hero Versionh4.5.4.1813 Updatebuild_20211006
QnapQuts Hero Versionh4.5.4.1848 Updatebuild_20211109
QnapQuts Hero Versionh4.5.4.1892 Updatebuild_20211223
QnapQuts Hero Versionh4.5.4.1951 Updatebuild_20220218
QnapQuts Hero Versionh4.5.4.1971 Updatebuild_20220310
QnapQuts Hero Versionh4.5.4.1991 Updatebuild_20220330
QnapQuts Hero Versionh4.5.4.2052 Updatebuild_20220530
QnapQuts Hero Versionh4.5.4.2138 Updatebuild_20220824
QnapQuts Hero Versionh4.5.4.2217 Updatebuild_20221111
QnapQuts Hero Versionh4.5.4.2272 Updatebuild_20230105
QnapQuts Hero Versionh4.5.4.2374 Updatebuild_20230417
QnapQuts Hero Versionh4.5.4.2476 Updatebuild_20230728
QnapQuts Hero Versionh4.5.4.2626 Update-
QnapQuts Hero Versionh5.1.0.2409 Updatebuild_20230525
QnapQuts Hero Versionh5.1.0.2424 Updatebuild_20230609
QnapQuts Hero Versionh5.1.0.2453 Updatebuild_20230708
QnapQuts Hero Versionh5.1.0.2466 Updatebuild_20230721
QnapQuts Hero Versionh5.1.1.2488 Updatebuild_20230812
QnapQuts Hero Versionh5.1.2.2534 Updatebuild_20230927
QnapQuts Hero Versionh5.1.3.2578 Updatebuild_20231110
QnapQuts Hero Versionh5.1.4.2596 Update-
QnapQutscloud Versionc5.1.0.2498 Updatebuild_20230822
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.3% 0.529
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.