{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32974", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2023-05-16T10:44:49.056Z", "datePublished": "2023-10-13T19:16:44.112Z", "dateUpdated": "2024-09-17T16:34:55.421Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.1.0.2444 build 20230629", "status": "affected", "version": "5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.1.0.2424 build 20230609", "status": "affected", "version": "h5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTScloud", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "c5.1.0.2498", "status": "affected", "version": "c5.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "huasheng_mangguo"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>QuTScloud c5.1.0.2498 and later<br>"}], "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTScloud c5.1.0.2498 and later\n"}], "impacts": [{"capecId": "CAPEC-76", "descriptions": [{"lang": "en", "value": "CAPEC-76"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-10-13T19:16:44.112Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-42"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>QuTScloud c5.1.0.2498 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTScloud c5.1.0.2498 and later\n"}], "source": {"advisory": "QSA-23-42", "discovery": "EXTERNAL"}, "title": "QTS, QuTS hero, QuTScloud", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:32:46.623Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-42", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "qnap", "product": "qts", "cpes": ["cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.1.0", "status": "affected", "lessThan": "5.1.0.244", "versionType": "custom"}]}, {"vendor": "qnap", "product": "qutscloud", "cpes": ["cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "c5.0.0.1919", "status": "affected", "lessThan": "c5.1.0.2498", "versionType": "custom"}]}, {"vendor": "qnap", "product": "quts_hero", "cpes": ["cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "h5.1.0", "status": "affected", "lessThan": "h5.1.0.2424", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T16:30:33.770909Z", "id": "CVE-2023-32974", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T16:34:55.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-42", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:32:46.623Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-32974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T16:30:33.770909Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qts", "versions": [{"status": "affected", "version": "5.1.0", "lessThan": "5.1.0.244", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qutscloud", "versions": [{"status": "affected", "version": "c5.0.0.1919", "lessThan": "c5.1.0.2498", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "quts_hero", "versions": [{"status": "affected", "version": "h5.1.0", "lessThan": "h5.1.0.2424", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T16:34:46.027Z"}}], "cna": {"title": "QTS, QuTS hero, QuTScloud", "source": {"advisory": "QSA-23-42", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "huasheng_mangguo"}], "impacts": [{"capecId": "CAPEC-76", "descriptions": [{"lang": "en", "value": "CAPEC-76"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QTS", "versions": [{"status": "affected", "version": "5.1.x", "lessThan": "5.1.0.2444 build 20230629", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTS hero", "versions": [{"status": "affected", "version": "h5.1.x", "lessThan": "h5.1.0.2424 build 20230609", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTScloud", "versions": [{"status": "affected", "version": "c5.x", "lessThan": "c5.1.0.2498", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTScloud c5.1.0.2498 and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>QuTScloud c5.1.0.2498 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-42"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTScloud c5.1.0.2498 and later\n", "supportingMedia": [{"type": "text/html", "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>QuTScloud c5.1.0.2498 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-10-13T19:16:44.112Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32974", "state": "PUBLISHED", "dateUpdated": "2024-09-17T16:34:55.421Z", "dateReserved": "2023-05-16T10:44:49.056Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2023-10-13T19:16:44.112Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "834347F5-87D2-479E-81BF-C5F23534E0F2", "versionEndExcluding": "5.1.0.2444", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "757BF20E-81DA-447A-B90C-06D096EBACD1", "versionEndExcluding": "h5.1.0.2424", "versionStartIncluding": "h5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D504C77-393C-4298-9B8E-4408FAA067E1", "versionEndExcluding": "c5.1.0.2498", "versionStartIncluding": "c5.0.0.1919", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\nQuTScloud c5.1.0.2498 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad de path traversal afecta a varias versiones del sistema operativo QNAP. Si se explota, la vulnerabilidad podr\u00eda permitir a los usuarios leer el contenido de archivos inesperados y exponer datos confidenciales a trav\u00e9s de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: QTS 5.1.0.2444 build 20230629 y posteriores QuTS hero h5.1.0.2424 build 20230609 y posteriores QuTScloud c5.1.0.2498 y posteriores"}], "id": "CVE-2023-32974", "lastModified": "2024-11-21T08:04:19.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-13T20:15:10.007", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-42"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-42"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}