CVE-2020-2499 - OpenCVE

A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qes

Configuration 1 [-]

OR	cpe:2.3:a:qnap:qes::::::::
	cpe:2.3:a:qnap:qes:2.1.1:-::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200211::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200303::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200319::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200424::::::

No data.

References

Link	Providers
https://www.qnap.com/zh-tw/security-advisory/qsa-20-19

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2020-12-24T01:38:14.895132Z

Updated: 2024-09-17T03:18:12.926Z

Reserved: 2019-12-09T00:00:00

Link: CVE-2020-2499

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-24T02:15:12.423

Modified: 2020-12-28T15:39:15.053

Link: CVE-2020-2499

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["build 20200515"], "product": "QES", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "2.1.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Lodestone Security"}], "datePublic": "2020-12-23T00:00:00", "descriptions": [{"lang": "en", "value": "A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-259", "description": "CWE-259 Use of Hard-coded Password", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-31T16:33:28", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-19"}], "solutions": [{"lang": "en", "value": "QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later."}], "source": {"advisory": "QSA-20-19", "discovery": "EXTERNAL"}, "title": "Hard-coded Password Vulnerability in QES", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2020-12-23T05:49:00.000Z", "ID": "CVE-2020-2499", "STATE": "PUBLIC", "TITLE": "Hard-coded Password Vulnerability in QES"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QES", "version": {"version_data": [{"platform": "build 20200515", "version_affected": "<", "version_value": "2.1.1"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "Lodestone Security"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-259 Use of Hard-coded Password"}]}, {"description": [{"lang": "eng", "value": "CWE-798 Use of Hard-coded Credentials"}]}, {"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-19", "refsource": "MISC", "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-19"}]}, "solution": [{"lang": "en", "value": "QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later."}], "source": {"advisory": "QSA-20-19", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:09:54.172Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-19"}]}]}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2020-2499", "datePublished": "2020-12-24T01:38:14.895132Z", "dateReserved": "2019-12-09T00:00:00", "dateUpdated": "2024-09-17T03:18:12.926Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5DBF31A-5D26-4C7D-8E69-31061FC16C6D", "versionEndExcluding": "2.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:-:*:*:*:*:*:*", "matchCriteriaId": "B075440F-4DEA-494D-AE27-1182CA4889D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200211:*:*:*:*:*:*", "matchCriteriaId": "67632014-C383-490C-B048-4DFE88AD3F30", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200303:*:*:*:*:*:*", "matchCriteriaId": "AF83A348-E7B1-4008-8313-9F28B9A9B020", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200319:*:*:*:*:*:*", "matchCriteriaId": "AAF45709-BE55-45A4-8DD1-0D3E417D8382", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200424:*:*:*:*:*:*", "matchCriteriaId": "7C956E79-D019-4AE3-BB65-9A70282CD780", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A hard-coded password vulnerability has been reported to affect earlier versions of QES. If exploited, this vulnerability could allow attackers to log in with a hard-coded password. QNAP has already fixed the issue in QES 2.1.1 Build 20200515 and later."}, {"lang": "es", "value": "Se ha reportado de una vulnerabilidad de contrase\u00f1a embebida que afecta a versiones anteriores de QES. Si es explotada, esta vulnerabilidad podr\u00eda permitir a atacantes iniciar sesi\u00f3n con una contrase\u00f1a embebida. QNAP ya ha corregido el problema en QES versi\u00f3n 2.1.1 Build 20200515 y posteriores"}], "id": "CVE-2020-2499", "lastModified": "2020-12-28T15:39:15.053", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.1, "impactScore": 4.7, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2020-12-24T02:15:12.423", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-19"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-259"}, {"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-798"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}