CVE-2022-27596 - OpenCVE

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qts Quts Hero

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:quts_hero::::::::

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-23-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2023-01-30T01:13:47.317Z

Updated: 2024-08-03T05:32:59.336Z

Reserved: 2022-03-21T22:02:33.326Z

Link: CVE-2022-27596

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-30T02:15:08.463

Modified: 2023-11-07T03:45:21.480

Link: CVE-2022-27596

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-27596", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2022-03-21T22:02:33.326Z", "datePublished": "2023-01-30T01:13:47.317Z", "dateUpdated": "2024-08-03T05:32:59.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.0.1.2248 build 20221215", "status": "affected", "version": "h5.0.1", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.0.1.2234 build 20221201", "status": "affected", "version": "5.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "huasheng_mangguo"}], "datePublic": "2023-01-30T09:53:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.<br>We have already fixed this vulnerability in the following versions of QuTS hero, QTS:<br>QuTS hero h5.0.1.2248 build 20221215 and later<br>QTS 5.0.1.2234 build 20221201 and later<br>"}], "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-02-03T01:04:37.338Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:<br>QuTS hero h5.0.1.2248 build 20221215 and later<br>QTS 5.0.1.2234 build 20221201 and later<br>"}], "value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}], "source": {"advisory": "QSA-23-01", "discovery": "EXTERNAL"}, "title": "Vulnerability in QTS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:32:59.336Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-01", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDB678B3-A51E-4F60-B049-FED59A368B9B", "versionEndExcluding": "5.0.1.2234", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B1CD08D-792B-45D9-8CCA-5222EE75A870", "versionEndExcluding": "h5.0.1.2248", "versionStartIncluding": "h5.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad afecta al dispositivo QNAP que ejecuta QuTS hero, QTS. Si se explota, esta vulnerabilidad permite a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos solucionado esta vulnerabilidad en las siguientes versiones de QuTS hero, QTS: QuTS hero h5.0.1.2248 compilaci\u00f3n 20221215 y posteriores QTS 5.0.1.2234 compilaci\u00f3n 20221201 y posteriores"}], "id": "CVE-2022-27596", "lastModified": "2023-11-07T03:45:21.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2023-01-30T02:15:08.463", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-01"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}