CVE-2023-39298

06.09.2024, 17:15

A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors.
QuTScloud, is not affected.

We have already fixed the vulnerability in the following versions:
QTS 5.2.0.2737 build 20240417 and later
QuTS hero h5.2.0.2782 build 20240601 and later

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
qnap	CNA	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Vendor	Product	Version
qnap	qts	5.1.0.2348:build_20230325
qnap	qts	5.1.0.2399:build_20230515
qnap	qts	5.1.0.2418:build_20230603
qnap	qts	5.1.0.2444:build_20230629
qnap	qts	5.1.0.2466:build_20230721
qnap	qts	5.1.1.2491:build_20230815
qnap	qts	5.1.2.2533:build_20230926
qnap	qts	5.1.3.2578:build_20231110
qnap	qts	5.1.4.2596:build_20231128
qnap	qts	5.1.5.2645:build_20240116
qnap	qts	5.1.5.2679:build_20240219
qnap	qts	5.1.6.2722:build_20240402
qnap	qts	5.1.7.2770:build_20240520
qnap	qts	5.1.8.2823:build_20240712
qnap	qts	5.2.0.2737:build_20240417
qnap	qts	5.2.0.2744:build_20240424

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://www.qnap.com/en/security-advisory/qsa-24-28