CVE-2023-34972 - OpenCVE

A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QuTS hero h5.1.0.2424 build 20230609 and later

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qts Quts Hero

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:quts_hero::::::::

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-23-58

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2023-08-24T16:15:16.038Z

Updated: 2024-08-02T16:17:04.254Z

Reserved: 2023-06-08T08:26:04.294Z

Link: CVE-2023-34972

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-24T17:15:08.693

Modified: 2023-08-31T18:03:09.587

Link: CVE-2023-34972

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34972", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2023-06-08T08:26:04.294Z", "datePublished": "2023-08-24T16:15:16.038Z", "dateUpdated": "2024-08-02T16:17:04.254Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.0.1.2425 build 20230609", "status": "affected", "version": "5.0.*", "versionType": "custom"}, {"lessThan": "5.1.0.2444 build 20230629", "status": "affected", "version": "5.1.*", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.1.0.2424 build 20230609", "status": "affected", "version": "h5.1.*", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Domen Puncer Kugler"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.0.1.2425 build 20230609 and later<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>"}], "value": "A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2425 build 20230609 and later\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\n"}], "impacts": [{"capecId": "CAPEC-102", "descriptions": [{"lang": "en", "value": "CAPEC-102"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-08-24T16:15:16.038Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-58"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.0.1.2425 build 20230609 and later<br>QTS 5.1.0.2444 build 20230629 and later<br>QuTS hero h5.1.0.2424 build 20230609 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2425 build 20230609 and later\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\n"}], "source": {"advisory": "QSA-23-58", "discovery": "EXTERNAL"}, "title": "QTS, QuTS hero and QuTScloud", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:17:04.254Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-58", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "8677D804-106F-4F0F-B15D-AE998EF2D5ED", "versionEndExcluding": "5.0.1.2425", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "834347F5-87D2-479E-81BF-C5F23534E0F2", "versionEndExcluding": "5.1.0.2444", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "757BF20E-81DA-447A-B90C-06D096EBACD1", "versionEndExcluding": "h5.1.0.2424", "versionStartIncluding": "h5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2425 build 20230609 and later\nQTS 5.1.0.2444 build 20230629 and later\nQuTS hero h5.1.0.2424 build 20230609 and later\n"}], "id": "CVE-2023-34972", "lastModified": "2023-08-31T18:03:09.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2023-08-24T17:15:08.693", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-58"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}