Command Injection Vulnerability in Media Streaming Add-on
CVE-2021-34362

8.7HIGH

Key Information:

Vendor: QNAP
Status: Media Streaming Add-on
Vendor: CVE Published:; 22 October 2021

Summary

A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later

Affected Version(s)

Media Streaming add-on QTS 4.3.3 < 430.1.8.12 ( 2021/09/29 )

Media Streaming add-on QTS 4.3.6 < 430.1.8.12 ( 2021/08/20 )

Media Streaming add-on QTS 4.5.4 < 500.0.0.3 ( 2021/08/20 )

References

https://www.qnap.com/en/security-advisory/qsa-21-44

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 22, 2021
Vulnerability Reserved
Jun 8, 2021

Credit

Tony Martin, a security researcher