Qnap Five Security Advisories on Resolved Vunerabilities
Concerning QTS, QuTS hero, QuTScloud NAS OSs, and myQnapcloud, vulnerabilities in jackson-databind, vulnerability in Network and Virtual Switch, and Vulnerability in Photo Station
This is a Press Release edited by StorageNewsletter.com on March 12, 2024 at 2:01 pmQnap Systems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
- Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, and myQnapcloud (ID: QSA-24-09)
- Multiple Vulnerabilities in jackson-databind (ID: QSA-24-10)
- Vulnerability in Network & Virtual Switch (ID: QSA-24-11)
- Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud (ID: QSA-24-12)
- Vulnerability in Photo Station (ID: QSA-24-13)
Multiple vulnerabilities in QTS, QuTS hero, QuTScloud, and myQnapcloud
Security ID: QSA-24-09
Release date: March 9, 2024
CVE identifier: CVE-2024-21899 | CVE-2024-21900 | CVE-2024-21901
Severity: Critical
Status: Resolved
Affected products: QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x; myQnapcloud 1.0.x
Summary
Multiple vulnerabilities have been reported to affect certain Qnap OSs and application versions:
- CVE-2024-21899: If exploited, the improper authentication vulnerability could allow users to compromise the security of the system via a network.
- CVE-2024-21900: If exploited, the injection vulnerability could allow authenticated users to execute commands via a network.
- CVE-2024-21901: If exploited, the SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network.
The company have already fixed the vulnerabilities in following versions:
|
Affected Product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.3.2578 build 20231110 and later |
|
QTS 4.5.x |
QTS 4.5.4.2627 build 20231225 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
|
QuTS hero h4.5.x |
QuTS hero h4.5.4.2626 build 20231225 and later |
|
QuTScloud c5.x |
QuTScloud c5.1.5.2651 and later |
|
myQnapcloud 1.0.x |
myQnapcloud 1.0.52 (2023/11/24) and later |
Multiple Vulnerabilities in jackson-databind
Security ID: QSA-24-10
Release date: March 9, 2024
CVE identifier: CVE-2022-42004 | CVE-2022-42003 | CVE-2020-36518 | CVE-2021-46877
Severity: Medium
Status: Resolved
Affected products: QuMagie Mobile 2.2.x for Android
Summary
Multiple vulnerabilities have been reported in jackson-databind, which affect QuMagie Mobile for Android.
The company have already fixed the vulnerabilities in following version:
|
Affected product |
Fixed version |
|
QuMagie Mobile 2.2.x for Android |
QuMagie Mobile 2.2.0.0126 and later for Android |
Vulnerability in Network and Virtual Switch
Security ID: QSA-24-11
Release date: March 9, 2024
CVE identifier: CVE-2023-32969
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Network and Virtual Switch in certain Qnap OSs versions. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
The company have already fixed the vulnerability in following versions:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.4.2596 build 20231128 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.4.2596 build 20231128 and later |
|
QuTScloud c5.x |
QuTScloud c5.1.5.2651 and later |
Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud
Security ID: QSA-24-12
Release date: March 9, 2024
CVE identifier: CVE-2023-34975 | CVE-2023-34980
Severity: Medium
Status: Resolved
Not affected products: QTS 5.x, QuTS hero h5.x, QuTScloud c5.1.x
Affected products: QTS 4.5.x, QuTS hero h4.5.x, QuTScloud c5.0.x
Summary
Two OS command injection vulnerabilities have been reported to affect certain Qnap OSs versions. If exploited, the vulnerabilities could allow authenticated administrators to execute commands via a network.
The company have already fixed the vulnerabilities in following versions:
|
Affected product |
Fixed version |
|
QTS 4.5.x |
QTS 4.5.4.2627 build 20231225 and later |
|
QuTS hero h4.5.x |
QuTS hero h4.5.4.2626 build 20231225 and later |
|
QuTScloud c5.0.x |
QuTScloud c5.1.0.2498 build 20230822 and later |
QTS 5.x, QuTS hero h5.x, and QuTScloud c5.1.x are not affected.
Vulnerability in Photo Station
Security ID: QSA-24-13
Release date: March 9, 2024
CVE identifier: CVE-2023-47221
Severity: Medium
Status: Resolved
Affected products: Photo Station 6.4.x
Summary
A path traversal vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.
The company have already fixed the vulnerability in following version:
|
Affected product |
Fixed version |
|
Photo Station 6.4.x |
Photo Station 6.4.2 (2023/12/15) and later |
Contact for questions regarding this issue
Subscribe to our free daily newsletter
