CVE-2022-27596 - OpenCVE

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Qnap	Quts Hero Qts

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:quts_hero::::::::

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-23-01	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: qnap

Published: 2023-01-30T01:13:47.317Z

Updated: 2023-02-03T01:04:37.338Z

Reserved: 2022-03-21T22:02:33.326Z

Link: CVE-2022-27596

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-30T02:15:08.463

Modified: 2023-11-07T03:45:21.480

Link: CVE-2022-27596

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-27596", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2022-03-21T22:02:33.326Z", "datePublished": "2023-01-30T01:13:47.317Z", "dateUpdated": "2023-02-03T01:04:37.338Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.0.1.2248 build 20221215", "status": "affected", "version": "h5.0.1", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.0.1.2234 build 20221201", "status": "affected", "version": "5.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "huasheng_mangguo"}], "datePublic": "2023-01-30T09:53:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.<br>We have already fixed this vulnerability in the following versions of QuTS hero, QTS:<br>QuTS hero h5.0.1.2248 build 20221215 and later<br>QTS 5.0.1.2234 build 20221201 and later<br>"}], "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2023-02-03T01:04:37.338Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:<br>QuTS hero h5.0.1.2248 build 20221215 and later<br>QTS 5.0.1.2234 build 20221201 and later<br>"}], "value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}], "source": {"advisory": "QSA-23-01", "discovery": "EXTERNAL"}, "title": "Vulnerability in QTS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDB678B3-A51E-4F60-B049-FED59A368B9B", "versionEndExcluding": "5.0.1.2234", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B1CD08D-792B-45D9-8CCA-5222EE75A870", "versionEndExcluding": "h5.0.1.2248", "versionStartIncluding": "h5.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"}], "id": "CVE-2022-27596", "lastModified": "2023-11-07T03:45:21.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2023-01-30T02:15:08.463", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-23-01"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}