ID CVE-2020-25847 Type cve Reporter cve@mitre.org Modified 2020-12-30T16:15:00
Description
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero.
{"id": "CVE-2020-25847", "bulletinFamily": "NVD", "title": "CVE-2020-25847", "description": "This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero.", "published": "2020-12-29T07:15:00", "modified": "2020-12-30T16:15:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25847", "reporter": "cve@mitre.org", "references": ["https://www.qnap.com/en/security-advisory/qsa-20-20"], "cvelist": ["CVE-2020-25847"], "type": "cve", "lastseen": "2021-02-02T07:37:04", "edition": 4, "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-02-02T07:37:04", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-02-02T07:37:04", "rev": 2}, "twitter": {"counter": 24, "modified": "2020-12-30T13:53:03", "tweets": [{"link": "https://twitter.com/Velletron/status/1343895852218245122", "text": "CVE-2020-25847 https://t.co/D09yL2hy0R?amp=1 /hashtag/CVE?src=hashtag_click /hashtag/Vulnerability?src=hashtag_click"}, {"link": "https://twitter.com/Tribe_Secure/status/1343905997631365120", "text": "CVE-2020-25847 https://t.co/aMr9LacUTi?amp=1 /hashtag/TribeSecure?src=hashtag_click /hashtag/CyberAwareness?src=hashtag_click"}, {"link": "https://twitter.com/SecRiskRptSME/status/1344195786737905669", "text": "New/Modified vulnerability published December 28, 2020 at 11:15PM on the NVD: CVE-2020-25847 https://t.co/Tl4CRX7yGB?amp=1 This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in t\u2026"}, {"link": "https://twitter.com/threatmeter/status/1344205158998306818", "text": "QNAP QTS/QuTS Hero Application command injection [CVE-2020-25847] A vulnerability was found in QNAP QTS and QuTS Hero (Network Attached Storage Software) (affected version not known). It has been rated as critical. Affected by this issue is an unknown pa\u2026 https://t.co/9OzfspKfiV?amp=1"}, {"link": "https://twitter.com/SecurityMagnate/status/1344209740537102336", "text": "threatmeter: QNAP QTS/QuTS Hero Application command injection [CVE-2020-25847] A vulnerability was found in QNAP QTS and QuTS Hero (Network Attached Storage Software) (affected version not known). It has been rated as critical. Affected by this issue is \u2026 https://t.co/rzahuS44jm?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1343962628817870848", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (QTS/QuTS Hero Application command injection [CVE-2020-25847]) has been published on https://t.co/eAc9zuN2FI?amp=1"}, {"link": "https://twitter.com/WesUncensored/status/1343883508264132609", "text": "New vulnerability on the NVD: CVE-2020-25847 https://t.co/DJwmwumZtw?amp=1"}, {"link": "https://twitter.com/digitpol_cyber/status/1344279782226239488", "text": "New post: CVE-2020-25847 Qnap Systems QNAP QTS\u548cQNAP Systems QUTS Hero \u6ce8\u5165\u6f0f\u6d1e -\u6f0f\u6d1e\u60c5\u62a5\u3001\u6f0f\u6d1e\u8be6\u60c5\u3001\u5b89\u5168\u6f0f\u6d1e\u3001CVE https://t.co/WZYU5uFQTG?amp=1\u548cqnap-systems-quts-hero-\u6ce8\u5165\u6f0f\u6d1e-\u6f0f\u6d1e\u60c5\u62a5\u3001\u6f0f\u6d1e\u8be6\u60c5\u3001/"}, {"link": "https://twitter.com/www_sesin_at/status/1343962626376785921", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (QTS/QuTS Hero Application command injection [CVE-2020-25847]) has been published on https://t.co/mXwgTtsses?amp=1"}]}, "vulnersScore": 5.4}, "cpe": [], "affectedSoftware": [{"cpeName": "qnap:quts_hero", "name": "qnap quts hero", "operator": "lt", "version": "h4.5.1.1491"}, {"cpeName": "qnap:qts", "name": "qnap qts", "operator": "lt", "version": "4.5.1.1495"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:qnap:qts:4.5.1.1495:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.1.1495", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:qnap:quts_hero:h4.5.1.1491:*:*:*:*:*:*:*", "versionEndExcluding": "h4.5.1.1491", "vulnerable": true}], "operator": "OR"}]}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-77"], "scheme": null, "extraReferences": [{"name": "N/A", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-20-20"}]}
