Lucene search

[email protected]CVE-2021-28812

HistoryJun 03, 2021 - 3:15 a.m.

CVE-2021-28812

2021-06-0303:15:08

CWE-78

CWE-1286

CWE-77

[email protected]

web.nvd.nist.gov

cve-2021-28812

command injection

vulnerability

video station

qnap systems inc.

remote attackers

arbitrary commands

qts 4.5.2

quts hero

qutscloud

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.3%

JSON

A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. Video Station on QTS 4.3.6; on QTS 4.3.3.

Affected configurations

NVD

Node

qnapvideo_stationRange<5.5.4

AND

qnapqtsMatch4.5.2

Node

qnapvideo_stationRange<5.5.4

AND

qnapquts_heroMatchh4.5.2

Node

qnapvideo_stationRange<5.5.4

AND

qnapqutscloudMatchc4.5.4

CPENameOperatorVersion
qnap:video_stationqnap video stationlt5.5.4

CPE	Name	Operator	Version
qnap:video_station	qnap video station	lt	5.5.4

CNA Affected

[
  {
    "platforms": [
      "QTS 4.5.2"
    ],
    "product": "Video Station",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "5.5.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "QuTS hero h4.5.2"
    ],
    "product": "Video Station",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "5.5.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "QuTScloud c4.5.4"
    ],
    "product": "Video Station",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "5.5.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "platforms": [
      "QTS 4.3.6"
    ],
    "product": "Video Station",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "status": "unaffected",
        "version": "5.3.x"
      }
    ]
  },
  {
    "platforms": [
      "QTS 4.3.3"
    ],
    "product": "Video Station",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "status": "unaffected",
        "version": "5.1.x"
      }
    ]
  }
]

References

www.qnap.com/zh-tw/security-advisory/qsa-21-21

Social References

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.3%

JSON

Related for CVE-2021-28812

cvelist1 openvas1 nvd1 prion1