CVE-2018-19957 - OpenCVE

A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Qnap	Quts Hero Qts Qutscloud

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:quts_hero::::::::
	cpe:2.3:o:qnap:qutscloud::::::::

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-21-03	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: qnap

Published: 2021-09-10T00:00:00

Updated: 2021-09-10T04:00:18

Reserved: 2018-12-07T00:00:00

Link: CVE-2018-19957

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-10T04:15:08.857

Modified: 2021-09-23T15:49:14.857

Link: CVE-2018-19957

JSON object: View

Redhat Information

No data.

CWE

CWE-1021

{"containers": {"cna": {"affected": [{"product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "4.5.4.1715 build 20210630", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h4.5.4.1771 build 20210825", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "QuTScloud", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "c4.5.6.1755 build 20210809", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Independent Security Evaluators"}], "datePublic": "2021-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "description": "CWE-1021", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-10T04:00:18", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-03"}], "solutions": [{"lang": "en", "value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"}], "source": {"advisory": "QSA-21-03", "discovery": "EXTERNAL"}, "title": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2021-09-10T01:44:00.000Z", "ID": "CVE-2018-19957", "STATE": "PUBLIC", "TITLE": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QTS", "version": {"version_data": [{"version_affected": "<", "version_value": "4.5.4.1715 build 20210630"}]}}, {"product_name": "QuTS hero", "version": {"version_data": [{"version_affected": "<", "version_value": "h4.5.4.1771 build 20210825"}]}}, {"product_name": "QuTScloud", "version": {"version_data": [{"version_affected": "<", "version_value": "c4.5.6.1755 build 20210809"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "Independent Security Evaluators"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-1021"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/en/security-advisory/qsa-21-03", "refsource": "MISC", "url": "https://www.qnap.com/en/security-advisory/qsa-21-03"}]}, "solution": [{"lang": "en", "value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"}], "source": {"advisory": "QSA-21-03", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2018-19957", "datePublished": "2021-09-10T00:00:00", "dateReserved": "2018-12-07T00:00:00", "dateUpdated": "2021-09-10T04:00:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "560D361F-6679-43FA-9164-64FCAA0563B1", "versionEndExcluding": "4.5.4.1715", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B57DE98-C9C6-4C4D-B790-293D6D0CE646", "versionEndExcluding": "h4.5.4.1771", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "65E1E2FD-8AB8-4C29-AC6F-619CB0888620", "versionEndExcluding": "c4.5.6.1755", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"}, {"lang": "es", "value": "Se ha reportado de una vulnerabilidad que implica encabezados de seguridad HTTP insuficientes y que afecta a los NAS de QNAP que ejecutan QTS, QuTS hero y QuTScloud. Esta vulnerabilidad permite a atacantes remotos iniciar ataques de privacidad y seguridad. Ya hemos corregido esta vulnerabilidad en las siguientes versiones: QTS 4.5.4.1715 build 20210630 y posteriores QuTS hero h4.5.4.1771 build 20210825 y posteriores QuTScloud c4.5.6.1755 build 20210809 y posteriores"}], "id": "CVE-2018-19957", "lastModified": "2021-09-23T15:49:14.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-10T04:15:08.857", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-03"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1021"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}