CVE-2023-39301

EPSS 0.2%
Published 03.11.2023 17:15:08
Last modified 21.11.2024 08:15:06
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read application data via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2514 build 20230906 and later
QTS 5.1.1.2491 build 20230815 and later
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h5.1.1.2488 build 20230812 and later
QuTScloud c5.1.0.2498 and later

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version < 5.1.1.2491

Qnap ≫ Qts Version < 5.0.1.2514

Qnap ≫ Quts Hero Version < h5.1.1.2488

Qnap ≫ Quts Hero Version < h5.0.1.2515

Qnap ≫ Qutscloud Version < c5.1.0.2498

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.42

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security@qnapsecurity.com.tw	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://www.qnap.com/en/security-advisory/qsa-23-51

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-39301

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-39301

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-39301

EUVD