Lucene search

[email protected]CVE-2020-2509

HistoryApr 17, 2021 - 4:15 a.m.

CVE-2020-2509

2021-04-1704:15:00

CWE-77

[email protected]

web.nvd.nist.gov

978

In Wild

cve-2020-2509

qts

quts hero

command injection

vulnerability

security

nvd

exploit

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

58.7%

JSON

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

CPENameOperatorVersion
qnap:qtsqnap qtseq4.3.4.0387
qnap:qtsqnap qtseq4.3.4.0370
qnap:qtsqnap qtseq4.3.4.0372
qnap:qtsqnap qtseq4.3.4.0374
qnap:qtsqnap qtseq4.3.4.0358
qnap:qtsqnap qtseq4.3.4.0604
qnap:qtsqnap qtseq4.3.4.0597
qnap:qtsqnap qtseq4.3.4.0593
qnap:qtsqnap qtseq4.3.4.0569
qnap:qtsqnap qtseq4.3.4.0561

CPE	Name	Operator	Version
qnap:qts	qnap qts	eq	4.3.4.0387
qnap:qts	qnap qts	eq	4.3.4.0370
qnap:qts	qnap qts	eq	4.3.4.0372
qnap:qts	qnap qts	eq	4.3.4.0374
qnap:qts	qnap qts	eq	4.3.4.0358
qnap:qts	qnap qts	eq	4.3.4.0604
qnap:qts	qnap qts	eq	4.3.4.0597
qnap:qts	qnap qts	eq	4.3.4.0593
qnap:qts	qnap qts	eq	4.3.4.0569
qnap:qts	qnap qts	eq	4.3.4.0561