CVE-2024-38641

EPSS 0.14%
Published 06.09.2024 17:15:16
Last modified 16.09.2024 12:35:23
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors.

We have already fixed the vulnerability in the following versions:
QTS 5.1.8.2823 build 20240712 and later
QuTS hero h5.1.8.2823 build 20240712 and later

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version5.1.0.2348 Updatebuild_20230325

Qnap ≫ Qts Version5.1.0.2399 Updatebuild_20230515

Qnap ≫ Qts Version5.1.0.2418 Updatebuild_20230603

Qnap ≫ Qts Version5.1.0.2444 Updatebuild_20230629

Qnap ≫ Qts Version5.1.0.2466 Updatebuild_20230721

Qnap ≫ Qts Version5.1.1.2491 Updatebuild_20230815

Qnap ≫ Qts Version5.1.2.2533 Updatebuild_20230926

Qnap ≫ Qts Version5.1.3.2578 Updatebuild_20231110

Qnap ≫ Qts Version5.1.4.2596 Updatebuild_20231128

Qnap ≫ Qts Version5.1.5.2645 Updatebuild_20240116

Qnap ≫ Qts Version5.1.5.2679 Updatebuild_20240219

Qnap ≫ Qts Version5.1.6.2722 Updatebuild_20240402

Qnap ≫ Qts Version5.1.7.2770 Updatebuild_20240520

Qnap ≫ Quts Hero Versionh5.1.0.2409 Updatebuild_20230525

Qnap ≫ Quts Hero Versionh5.1.0.2424 Updatebuild_20230609

Qnap ≫ Quts Hero Versionh5.1.0.2453 Updatebuild_20230708

Qnap ≫ Quts Hero Versionh5.1.0.2466 Updatebuild_20230721

Qnap ≫ Quts Hero Versionh5.1.1.2488 Updatebuild_20230812

Qnap ≫ Quts Hero Versionh5.1.2.2534 Updatebuild_20230927

Qnap ≫ Quts Hero Versionh5.1.3.2578 Updatebuild_20231110

Qnap ≫ Quts Hero Versionh5.1.4.2596 Updatebuild_20231128

Qnap ≫ Quts Hero Versionh5.1.5.2647 Updatebuild_20240118

Qnap ≫ Quts Hero Versionh5.1.5.2680 Updatebuild_20240220

Qnap ≫ Quts Hero Versionh5.1.6.2734 Updatebuild_20240414

Qnap ≫ Quts Hero Versionh5.1.7.2770 Updatebuild_20240520

Qnap ≫ Quts Hero Versionh5.1.7.2788 Updatebuild_20240607

Qnap ≫ Quts Hero Versionh5.1.7.2794 Updatebuild_20240613

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.353

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw	7.3	0	0	CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.qnap.com/en/security-advisory/qsa-24-33

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-38641

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-38641

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-38641

EUVD