CVE-2024-21903

MEDIUM EPSS 52.0%

Published Sep 6, 20241y ago · Modified Jun 17, 20261w ago

4.7 CVSS 3.1

Medium

Published Sep 6, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

CVSS Details

Base Score

4.7

Exploitability

1.2

Impact

3.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

52.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-77 Command Injection Injection

CWE-78 OS Command Injection Injection

Affected Products 21

Vendor	Product	Version	Range
qnap	qts	5.1.0.2348	any
qnap	qts	5.1.0.2399	any
qnap	qts	5.1.0.2418	any
qnap	qts	5.1.0.2444	any
qnap	qts	5.1.0.2466	any
qnap	qts	5.1.1.2491	any
qnap	qts	5.1.2.2533	any
qnap	qts	5.1.3.2578	any
qnap	qts	5.1.4.2596	any
qnap	qts	5.1.5.2645	any
qnap	qts	5.1.5.2679	any
qnap	quts_hero	h5.1.0.2409	any
qnap	quts_hero	h5.1.0.2424	any
qnap	quts_hero	h5.1.0.2453	any
qnap	quts_hero	h5.1.0.2466	any
qnap	quts_hero	h5.1.1.2488	any
qnap	quts_hero	h5.1.2.2534	any
qnap	quts_hero	h5.1.3.2578	any
qnap	quts_hero	h5.1.4.2596	any
qnap	quts_hero	h5.1.5.2647	any
qnap	quts_hero	h5.1.5.2680	any

References 1

qnap.com https://www.qnap.com/en/security-advisory/qsa-24-20

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.