CVE-2023-47564 - Vulnerability Details - OpenCVE

An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.

We have already fixed the vulnerability in the following versions:
Qsync Central 4.4.0.15 ( 2024/01/04 ) and later
Qsync Central 4.3.0.11 ( 2024/01/11 ) and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.06904.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qsync Central

Configuration 1 [-]

OR	cpe:2.3:a:qnap:qsync_central::::::::
	cpe:2.3:a:qnap:qsync_central::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-51675	An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later

Fixes

Solution

We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-24-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2024-02-02T16:05:54.662Z

Updated: 2024-08-29T19:48:47.318Z

Reserved: 2023-11-06T14:11:12.322Z

Link: CVE-2023-47564

Vulnrichment

Updated: 2024-08-02T21:09:37.410Z

NVD

Status : Modified

Published: 2024-02-02T16:15:52.280

Modified: 2024-11-21T08:30:27.967

Link: CVE-2023-47564

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47564", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2023-11-06T14:11:12.322Z", "datePublished": "2024-02-02T16:05:54.662Z", "dateUpdated": "2024-08-29T19:48:47.318Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Qsync Central", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "4.4.0.15 ( 2024/01/04 )", "status": "affected", "version": "4.4.x.x", "versionType": "custom"}, {"lessThan": "4.3.0.11 ( 2024/01/11 )", "status": "affected", "version": "4.3.x.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "c411e"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Qsync Central 4.4.0.15 ( 2024/01/04 ) and later<br>Qsync Central 4.3.0.11 ( 2024/01/11 ) and later<br>"}], "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-02-02T16:05:54.662Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-03"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Qsync Central 4.4.0.15 ( 2024/01/04 ) and later<br>Qsync Central 4.3.0.11 ( 2024/01/11 ) and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n"}], "source": {"advisory": "QSA-24-03", "discovery": "EXTERNAL"}, "title": "Qsync Central", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:09:37.410Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-03", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "qnap", "product": "qsync_central", "cpes": ["cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.4.0.0", "status": "affected", "lessThan": "4.4.0.15", "versionType": "custom"}, {"version": "4.3.0.0", "status": "affected", "lessThan": "4.3.0.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T15:30:29.966841Z", "id": "CVE-2023-47564", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T19:48:47.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-03", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:09:37.410Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-47564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-28T15:30:29.966841Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qsync_central", "versions": [{"status": "affected", "version": "4.4.0.0", "lessThan": "4.4.0.15", "versionType": "custom"}, {"status": "affected", "version": "4.3.0.0", "lessThan": "4.3.0.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T15:33:36.622Z"}}], "cna": {"title": "Qsync Central", "source": {"advisory": "QSA-24-03", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "c411e"}], "impacts": [{"capecId": "CAPEC-122", "descriptions": [{"lang": "en", "value": "CAPEC-122"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "Qsync Central", "versions": [{"status": "affected", "version": "4.4.x.x", "lessThan": "4.4.0.15 ( 2024/01/04 )", "versionType": "custom"}, {"status": "affected", "version": "4.3.x.x", "lessThan": "4.3.0.11 ( 2024/01/11 )", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Qsync Central 4.4.0.15 ( 2024/01/04 ) and later<br>Qsync Central 4.3.0.11 ( 2024/01/11 ) and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-03"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n", "supportingMedia": [{"type": "text/html", "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Qsync Central 4.4.0.15 ( 2024/01/04 ) and later<br>Qsync Central 4.3.0.11 ( 2024/01/11 ) and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-02-02T16:05:54.662Z"}}}, "cveMetadata": {"cveId": "CVE-2023-47564", "state": "PUBLISHED", "dateUpdated": "2024-08-29T19:48:47.318Z", "dateReserved": "2023-11-06T14:11:12.322Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2024-02-02T16:05:54.662Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F85C926-E2FE-4A8A-95E2-963CFEA1FF7B", "versionEndExcluding": "4.3.0.11", "versionStartIncluding": "4.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "E37FF244-46C8-4849-95D8-03EBCFBADDB8", "versionEndExcluding": "4.4.0.15", "versionStartIncluding": "4.4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.15 ( 2024/01/04 ) and later\nQsync Central 4.3.0.11 ( 2024/01/11 ) and later\n"}, {"lang": "es", "value": "Se ha informado que una asignaci\u00f3n incorrecta de permisos para una vulnerabilidad de recursos cr\u00edticos afecta a Qsync Central. Si se explota, la vulnerabilidad podr\u00eda permitir a los usuarios autenticados leer o modificar el recurso a trav\u00e9s de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: Qsync Central 4.4.0.15 (2024/01/04) y posteriores Qsync Central 4.3.0.11 (2024/01/11) y posteriores"}], "id": "CVE-2023-47564", "lastModified": "2024-11-21T08:30:27.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-02T16:15:52.280", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-03"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}