CVE-2023-39299 - Vulnerability Details - OpenCVE

A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.

We have already fixed the vulnerability in the following versions:
Music Station 4.8.11 and later
Music Station 5.1.16 and later
Music Station 5.3.23 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Music Station

Configuration 1 [-]

OR	cpe:2.3:a:qnap:music_station::::::::
	cpe:2.3:a:qnap:music_station::::::::
	cpe:2.3:a:qnap:music_station::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-43031	A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: Music Station 4.8.11 and later Music Station 5.1.16 and later Music Station 5.3.23 and later

Fixes

Solution

We have already fixed the vulnerability in the following versions: Music Station 4.8.11 and later Music Station 5.1.16 and later Music Station 5.3.23 and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-23-61

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2023-11-03T16:34:46.932Z

Updated: 2024-09-05T18:40:12.259Z

Reserved: 2023-07-27T06:46:01.477Z

Link: CVE-2023-39299

Vulnrichment

Updated: 2024-08-02T18:02:06.853Z

NVD

Status : Modified

Published: 2023-11-03T17:15:08.900

Modified: 2024-11-21T08:15:06.383

Link: CVE-2023-39299

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39299", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2023-07-27T06:46:01.477Z", "datePublished": "2023-11-03T16:34:46.932Z", "dateUpdated": "2024-09-05T18:40:12.259Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Music Station", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "4.8.11", "status": "affected", "version": "4.8.x", "versionType": "custom"}, {"lessThan": "5.1.16", "status": "affected", "version": "5.1.x", "versionType": "custom"}, {"lessThan": "5.3.23", "status": "affected", "version": "5.3.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "fredoun"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Music Station 4.8.11 and later<br>Music Station 5.1.16 and later<br>Music Station 5.3.23 and later<br>"}], "value": "A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nMusic Station 4.8.11 and later\nMusic Station 5.1.16 and later\nMusic Station 5.3.23 and later\n"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-11-03T16:34:46.932Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-61"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Music Station 4.8.11 and later<br>Music Station 5.1.16 and later<br>Music Station 5.3.23 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nMusic Station 4.8.11 and later\nMusic Station 5.1.16 and later\nMusic Station 5.3.23 and later\n"}], "source": {"advisory": "QSA-23-61", "discovery": "EXTERNAL"}, "title": "Music Station", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.853Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-61", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "qnap", "product": "music_station", "cpes": ["cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.8.x", "status": "affected", "lessThan": "4.8.11", "versionType": "custom"}, {"version": "5.1.x", "status": "affected", "lessThan": "5.1.16", "versionType": "custom"}, {"version": "5.3.x", "status": "affected", "lessThan": "5.3.23", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T18:29:43.152642Z", "id": "CVE-2023-39299", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T18:40:12.259Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-61", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.853Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39299", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T18:29:43.152642Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "music_station", "versions": [{"status": "affected", "version": "4.8.x", "lessThan": "4.8.11", "versionType": "custom"}, {"status": "affected", "version": "5.1.x", "lessThan": "5.1.16", "versionType": "custom"}, {"status": "affected", "version": "5.3.x", "lessThan": "5.3.23", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T18:40:08.066Z"}}], "cna": {"title": "Music Station", "source": {"advisory": "QSA-23-61", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "fredoun"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "Music Station", "versions": [{"status": "affected", "version": "4.8.x", "lessThan": "4.8.11", "versionType": "custom"}, {"status": "affected", "version": "5.1.x", "lessThan": "5.1.16", "versionType": "custom"}, {"status": "affected", "version": "5.3.x", "lessThan": "5.3.23", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nMusic Station 4.8.11 and later\nMusic Station 5.1.16 and later\nMusic Station 5.3.23 and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Music Station 4.8.11 and later<br>Music Station 5.1.16 and later<br>Music Station 5.3.23 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-61"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nMusic Station 4.8.11 and later\nMusic Station 5.1.16 and later\nMusic Station 5.3.23 and later\n", "supportingMedia": [{"type": "text/html", "value": "A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Music Station 4.8.11 and later<br>Music Station 5.1.16 and later<br>Music Station 5.3.23 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-11-03T16:34:46.932Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39299", "state": "PUBLISHED", "dateUpdated": "2024-09-05T18:40:12.259Z", "dateReserved": "2023-07-27T06:46:01.477Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2023-11-03T16:34:46.932Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9FA0BAC-F9DE-420E-A9DC-3E1A01A3F6EB", "versionEndExcluding": "4.8.11", "versionStartIncluding": "4.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "017EC098-8277-4DDB-8BD3-6466108022CD", "versionEndExcluding": "5.1.16", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "95DA9DC0-2461-400D-AACF-9CD9186F8E3D", "versionEndExcluding": "5.3.23", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nMusic Station 4.8.11 and later\nMusic Station 5.1.16 and later\nMusic Station 5.3.23 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad de path traversal que afecta a Music Station. Si se explota, la vulnerabilidad podr\u00eda permitir a los usuarios leer el contenido de archivos inesperados y exponer datos confidenciales a trav\u00e9s de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: Music Station 4.8.11 y posteriores Music Station 5.1.16 y posteriores Music Station 5.3.23 y posteriores"}], "id": "CVE-2023-39299", "lastModified": "2024-11-21T08:15:06.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-03T17:15:08.900", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-61"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-61"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}