CVE-2017-13067

QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
qnapCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
qnapqts
4.2.0 ≤
𝑥
≤ 4.2.6
qnapqts
4.3.0 ≤
𝑥
≤ 4.3.3.0299
𝑥
= Vulnerable software versions
References
https://www.qnap.com/zh-hk/releasenotes/
https://www.qnap.com/zh-hk/releasenotes/