CVE-2023-50361

EPSS 0.35%
Veröffentlicht 26.04.2024 15:15:47
Zuletzt bearbeitet 21.11.2024 08:36:54
Quelle security@qnapsecurity.com.tw
Teams Watchlist Login
Unerledigt Login

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.1.6.2722 build 20240402 and later
QuTS hero h5.1.6.2734 build 20240414 and later

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qnap ≫ Qts Version5.1.0.2348 Updatebuild_20230325

Qnap ≫ Qts Version5.1.0.2399 Updatebuild_20230515

Qnap ≫ Qts Version5.1.0.2418 Updatebuild_20230603

Qnap ≫ Qts Version5.1.0.2444 Updatebuild_20230629

Qnap ≫ Qts Version5.1.0.2466 Updatebuild_20230721

Qnap ≫ Qts Version5.1.1.2491 Updatebuild_20230815

Qnap ≫ Qts Version5.1.2.2533 Updatebuild_20230926

Qnap ≫ Qts Version5.1.3.2578 Updatebuild_20231110

Qnap ≫ Qts Version5.1.4.2596 Updatebuild_20231128

Qnap ≫ Qts Version5.1.5.2645 Updatebuild_20240116

Qnap ≫ Qts Version5.1.5.2679 Updatebuild_20240219

Qnap ≫ Quts Hero Versionh5.1.0.2409 Updatebuild_20230525

Qnap ≫ Quts Hero Versionh5.1.0.2424 Updatebuild_20230609

Qnap ≫ Quts Hero Versionh5.1.0.2453 Updatebuild_20230708

Qnap ≫ Quts Hero Versionh5.1.0.2466 Updatebuild_20230721

Qnap ≫ Quts Hero Versionh5.1.1.2488 Updatebuild_20230812

Qnap ≫ Quts Hero Versionh5.1.2.2534 Updatebuild_20230927

Qnap ≫ Quts Hero Versionh5.1.3.2578 Updatebuild_20231110

Qnap ≫ Quts Hero Versionh5.1.4.2596 Updatebuild_20231128

Qnap ≫ Quts Hero Versionh5.1.5.2647 Updatebuild_20240118

Qnap ≫ Quts Hero Versionh5.1.5.2680 Updatebuild_20240220

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.566

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

https://www.qnap.com/en/security-advisory/qsa-24-20

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-50361

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-50361

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-50361

EUVD