CVE-2021-28800OS Command Injection in Systems INC QTS

CWE-78OS Command Injection3 documents3 sources
Severity
9.8CRITICALNVD
CNA8.1
EPSS
1.2%
top 21.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Qnap Systems INC QTSQnap QTS
Timeline
PublishedJun 24
Latest updateMay 24

Description

A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5qnap_systems_inc/qtsunspecified4.3.6.1663 Build 20210504+1
NVDqnap/qts4.3.44.3.6.1663+1

🔴Vulnerability Details

2
GHSA
GHSA-f7g6-2r8w-qfr2: A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS2022-05-24
CVEList
Command Injection Vulnerability in QTS2021-06-24
CVE-2021-28800 — OS Command Injection | cvebase