CVE-2021-38685OS Command Injection in Systems INC QVR

CWE-78OS Command Injection3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
1.1%
top 21.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Qnap Systems INC QVRQnap QVR
Timeline
PublishedNov 26
Latest updateNov 27

Description

A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDqnap/qvr< 5.1.6
CVEListV5qnap_systems_inc/qvrunspecifiedQVR FW 5.1.6 build 20211109

🔴Vulnerability Details

2
GHSA
GHSA-5647-h66r-5vj6: A command injection vulnerability has been reported to affect QNAP device, VioStor2021-11-27
CVEList
Command Injection Vulnerability in VioStor2021-11-26
CVE-2021-38685 — OS Command Injection | cvebase