QNAP QTS Vulnerability: Local Auth Bypass Could Allow Data Breaches
CVE-2023-39298

7.8HIGH

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero; Qutscloud
Vendor: CVE Published:; 6 September 2024

What is CVE-2023-39298?

A missing authorization vulnerability in specific versions of QNAP operating systems has the potential to allow local authenticated users unauthorized access to sensitive data and the ability to perform prohibited actions. This flaw affects versions of QTS and QuTS hero prior to specific builds. QNAP has addressed this issue with patches in the subsequent releases, ensuring enhanced security for users.

Affected Version(s)

QTS 5.1.x < 5.2.0.2737 build 20240417

QuTS hero h5.1.x

QTS 5.0.x

References

https://www.qnap.com/en/security-advisory/qsa-24-28

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2024
Vulnerability Reserved
Jul 27, 2023

Credit

chumen77