Lucene search

QnapCVELIST:CVE-2020-2508

HistoryJan 11, 2021 - 2:24 p.m.

CVE-2020-2508 Command Injection Vulnerability in QTS and QuTS hero

2021-01-1114:24:02

CWE-78

CWE-77

qnap

www.cve.org

command injection

qts

quts hero

vulnerability

execute arbitrary commands

qnap

fixed version

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

46.5%

JSON

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later)

CNA Affected

[
  {
    "product": "QTS",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.5.1.1456"
      }
    ]
  },
  {
    "product": "QuTS hero",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "status": "affected",
        "version": "< h4.5.1.1472"
      }
    ]
  }
]

References

www.qnap.com/zh-tw/security-advisory/qsa-21-01

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

46.5%

JSON

Related for CVELIST:CVE-2020-2508