7.8

CVE-2024-14026

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions:
QTS 5.1.9.2954 build 20241120 and later
QTS 5.2.3.3006 build 20250108 and later
QuTS hero h5.1.9.2954 build 20241120 and later
QuTS hero h5.2.3.3006 build 20250108 and later
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QnapQts Version5.1.0.2348 Updatebuild_20230325
QnapQts Version5.1.0.2399 Updatebuild_20230515
QnapQts Version5.1.0.2418 Updatebuild_20230603
QnapQts Version5.1.0.2444 Updatebuild_20230629
QnapQts Version5.1.0.2466 Updatebuild_20230721
QnapQts Version5.1.1.2491 Updatebuild_20230815
QnapQts Version5.1.2.2533 Updatebuild_20230926
QnapQts Version5.1.3.2578 Updatebuild_20231110
QnapQts Version5.1.4.2596 Updatebuild_20231128
QnapQts Version5.1.5.2645 Updatebuild_20240116
QnapQts Version5.1.5.2679 Updatebuild_20240219
QnapQts Version5.1.6.2722 Updatebuild_20240402
QnapQts Version5.1.7.2770 Updatebuild_20240520
QnapQts Version5.1.8.2823 Updatebuild_20240712
QnapQts Version5.2.0.2737 Updatebuild_20240417
QnapQts Version5.2.0.2744 Updatebuild_20240424
QnapQts Version5.2.0.2782 Updatebuild_20240601
QnapQts Version5.2.0.2802 Updatebuild_20240620
QnapQts Version5.2.0.2823 Updatebuild_20240711
QnapQts Version5.2.0.2851 Updatebuild_20240808
QnapQts Version5.2.0.2860 Updatebuild_20240817
QnapQts Version5.2.1.2930 Updatebuild_20241025
QnapQts Version5.2.2.2950 Updatebuild_20241114
QnapQuts Hero Versionh5.1.0.2409 Updatebuild_20230525
QnapQuts Hero Versionh5.1.0.2424 Updatebuild_20230609
QnapQuts Hero Versionh5.1.0.2453 Updatebuild_20230708
QnapQuts Hero Versionh5.1.0.2466 Updatebuild_20230721
QnapQuts Hero Versionh5.1.1.2488 Updatebuild_20230812
QnapQuts Hero Versionh5.1.2.2534 Updatebuild_20230927
QnapQuts Hero Versionh5.1.3.2578 Updatebuild_20231110
QnapQuts Hero Versionh5.1.4.2596 Updatebuild_20231128
QnapQuts Hero Versionh5.1.5.2647 Updatebuild_20240118
QnapQuts Hero Versionh5.1.5.2680 Updatebuild_20240220
QnapQuts Hero Versionh5.1.6.2734 Updatebuild_20240414
QnapQuts Hero Versionh5.1.7.2770 Updatebuild_20240520
QnapQuts Hero Versionh5.1.7.2788 Updatebuild_20240607
QnapQuts Hero Versionh5.1.7.2794 Updatebuild_20240613
QnapQuts Hero Versionh5.1.8.2823 Updatebuild_20240712
QnapQuts Hero Versionh5.2.0.2737 Updatebuild_20240417
QnapQuts Hero Versionh5.2.0.2782 Updatebuild_20240601
QnapQuts Hero Versionh5.2.0.2789 Updatebuild_20240607
QnapQuts Hero Versionh5.2.0.2802 Updatebuild_20240620
QnapQuts Hero Versionh5.2.0.2823 Updatebuild_20240711
QnapQuts Hero Versionh5.2.0.2851 Updatebuild_20240808
QnapQuts Hero Versionh5.2.0.2860 Updatebuild_20240817
QnapQuts Hero Versionh5.2.1.2929 Updatebuild_20241025
QnapQuts Hero Versionh5.2.1.2940 Updatebuild_20241105
QnapQuts Hero Versionh5.2.2.2952 Updatebuild_20241116
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.01% 0.025
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 2 0 0
CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.