CVE-2022-27596

2023-01-3002:15:08

CWE-89

[email protected]

web.nvd.nist.gov

qnap

quts hero

qts

remote code injection

vulnerability

cve-2022-27596

security fix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.1%

JSON

A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of QuTS hero, QTS:
QuTS hero h5.0.1.2248 build 20221215 and later
QTS 5.0.1.2234 build 20221201 and later

Affected configurations

NVD

Node

qnapqtsRange5.0.1–5.0.1.2234

qnapquts_heroRangeh5.0.1–h5.0.1.2248

CPENameOperatorVersion
qnap:qtsqnap qtslt5.0.1.2234
qnap:quts_heroqnap quts herolth5.0.1.2248

CPE	Name	Operator	Version
qnap:qts	qnap qts	lt	5.0.1.2234
qnap:quts_hero	qnap quts hero	lt	h5.0.1.2248

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "QuTS hero",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "h5.0.1.2248 build 20221215",
        "status": "affected",
        "version": "h5.0.1",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "QTS",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "5.0.1.2234 build 20221201",
        "status": "affected",
        "version": "5.0.1",
        "versionType": "custom"
      }
    ]
  }
]