Lucene search

QnapVULNRICHMENT:CVE-2024-38641

HistorySep 06, 2024 - 4:27 p.m.

CVE-2024-38641 QTS, QuTS hero

2024-09-0616:27:46

CWE-77

CWE-78

qnap

github.com

cve-2024-38641

qts

quts hero

local network users

os command injection

qnap

versions

fixed vulnerability

CVSS4

7.3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H

AI Score

7.9

Confidence

Low

EPSS

Percentile

10.2%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors.

We have already fixed the vulnerability in the following versions:
QTS 5.1.8.2823 build 20240712 and later
QuTS hero h5.1.8.2823 build 20240712 and later

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:qnap:quts_hero:h5.1.0:*:*:*:*:*:*:*"
    ],
    "vendor": "qnap",
    "product": "quts_hero",
    "versions": [
      {
        "status": "affected",
        "version": "h5.1.0",
        "lessThan": "h5.1.8.2823",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "cpes": [
      "cpe:2.3:o:qnap:qts:5.1.0:*:*:*:*:*:*:*"
    ],
    "vendor": "qnap",
    "product": "qts",
    "versions": [
      {
        "status": "affected",
        "version": "5.1.0",
        "lessThan": "5.1.8.2823",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.qnap.com/en/security-advisory/qsa-24-33