QNAP QTS Vulnerability: Local Auth Bypass Could Allow Data Breaches

CVE-2023-39298

7.8HIGH

Key Information

Vendor: QNAP
Status: Qts; Quts Hero; Qutscloud
Vendor: CVE Published:; 6 September 2024

Summary

A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors. QuTScloud, is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2737 build 20240417 and later QuTS hero h5.2.0.2782 build 20240601 and later

Affected Version(s)

QTS < 5.2.0.2737 build 20240417

QTS >= 5.0.x

QTS >= 4.5.x

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 6, 2024
Vulnerability Reserved.
Jul 27, 2023

Collectors

NVD DatabaseMitre Database

Credit

chumen77