Qnap Security Advisory Bulletin ID: QSA-23-41, QSA-23-42, QSA-23-44, QSA-23-52
Concerning vulnerabilities in QTS, QuTS hero, and QuTScloud, Container Station, and Video Station
This is a Press Release edited by StorageNewsletter.com on October 18, 2023 at 2:01 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of its products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
- Vulnerabilities in QTS, QuTS hero, and QuTScloud (ID: QSA-23-41)
- Vulnerability in QTS, QuTS hero, and QuTScloud (ID: QSA-23-42)
- Vulnerability in Container Station (ID: QSA-23-44)
- Vulnerabilities in Video Station (ID: QSA-23-52)
Vulnerabilities in QTS, QuTS hero, and QuTScloud
Security ID: QSA-23-41
Release date: October 14, 2023
CVE identifier: CVE-2023-32970 | CVE-2023-32973
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, 5.0.x, 4.5.x; QuTS hero h5.1.x, h5.0.x, h4.5.x; QuTScloud c5.x
Summary
Two vulnerabilities have been reported to affect several Qnap OS versions:
- CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
- CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.
The company have already fixed vulnerabilities in following versions:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.0.2444 build 20230629 and later |
|
QTS 5.0.x |
QTS 5.0.1.2425 build 20230609 and later |
|
QTS 4.5.x |
QTS 4.5.4.2467 build 20230718 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.0.2424 build 20230609 and later |
|
QuTS hero h5.0.x |
QuTS hero h5.0.1.2515 build 20230907 and later |
|
QuTS hero h4.5.x |
QuTS hero h4.5.4.2476 build 20230728 and later |
|
QuTScloud c5.x |
QuTScloud c5.1.0.2498 and later |
Vulnerability in QTS, QuTS hero, and QuTScloud
Security ID: QSA-23-42
Release date: October 14, 2023
CVE identifier: CVE-2023-32974
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x
Summary
A path traversal vulnerability has been reported to affect several Qnap OS versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network.
The company have already fixed vulnerability in following versions:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.0.2444 build 20230629 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.0.2424 build 20230609 and later |
|
QuTScloud c5.x |
QuTScloud c5.1.0.2498 and later |
Vulnerability in Container Station
Security ID: QSA-23-44
Release date: October 14, 2023
CVE identifier: CVE-2023-32976
Severity: Medium
Status: Resolved
Affected products: Container Station 2.6.x
Summary
An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
Container Station 2.6.x |
Container Station 2.6.7.44 and later |
Vulnerabilities in Video Station
Security ID: QSA-23-52
Release date: October 14, 2023
CVE identifier: CVE-2023-34975 | CVE-2023-34976 | CVE-2023-34977
Severity: High
Status: Resolved
Affected products: Video Station 5.7.x
Summary 3 vulnerabilities have been reported to affect Video Station:
-
CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
-
CVE-2023-34977: Cross-site scripting (XSS) vulnerability
If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
Video Station 5.7.x |
Video Station 5.7.0 (2023/07/27) and later |
Contact: questions regarding this issue
Subscribe to our free daily newsletter
