CVE-2021-44052Link Following in Systems INC QTS

CWE-59Link Following3 documents3 sources
Severity
8.1HIGHNVD
CNA6.5
EPSS
0.4%
top 37.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Qnap Systems INC QTSQnap Systems INC Quts HeroQnap Systems INC Qutscloud+3 more
Timeline
PublishedMay 5
Latest updateMay 6

Description

An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and la

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages6 packages

CVEListV5qnap_systems_inc/quts_herounspecifiedh4.5.4.1971 build 20220310+1
NVDqnap/quts_heroh5.0.0.1772h5.0.0.1986+1
CVEListV5qnap_systems_inc/qutscloudunspecifiedc5.0.1.1998
NVDqnap/qutscloud< c5.0.1.1998
CVEListV5qnap_systems_inc/qtsunspecified4.3.4.1976 build 20220303+5

🔴Vulnerability Details

2
GHSA
GHSA-q4mx-gr8m-q3rr: An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero,2022-05-06
CVEList
Arbitrary file read2022-05-05
CVE-2021-44052 — Link Following in Qnap Systems INC QTS | cvebase