// For flags

CVE-2018-19949

QNAP NAS File Station Command Injection Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

Yes
*KEV

Decision

-
*SSVC
Descriptions

If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

Si es explotada, esta vulnerabilidad de inyección de comandos podría permitir a atacantes remotos ejecutar comandos arbitrarios. QNAP ya ha corregido el problema en las siguientes versiones de QTS. QTS versión 4.4.2.1231 en build 20200302; QTS versión 4.4.1.1201 en build 20200130; QTS versión 4.3.6.1218 en build 20200214; QTS versión 4.3.4.1190 en build 20200107; QTS versión 4.3.3.1161 en build 20200109; QTS versión 4.2.6 en build 20200109

A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands.

*Credits: Independent Security Evaluators
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-12-07 CVE Reserved
  • 2020-10-28 CVE Published
  • 2022-05-24 Exploited in Wild
  • 2022-06-14 KEV Due Date
  • 2023-07-14 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.qnap.com/zh-tw/security-advisory/qsa-20-01 2020-11-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 < 4.2.6
Search vendor "Qnap" for product "Qts" and version " < 4.2.6"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 4.3.1.0013 < 4.3.3.1161
Search vendor "Qnap" for product "Qts" and version " >= 4.3.1.0013 < 4.3.3.1161"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 4.3.4 < 4.3.4.1190
Search vendor "Qnap" for product "Qts" and version " >= 4.3.4 < 4.3.4.1190"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 4.3.6 < 4.3.6.1218
Search vendor "Qnap" for product "Qts" and version " >= 4.3.6 < 4.3.6.1218"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 4.4.0 < 4.4.1.1201
Search vendor "Qnap" for product "Qts" and version " >= 4.4.0 < 4.4.1.1201"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 4.4.2 < 4.4.2.1231
Search vendor "Qnap" for product "Qts" and version " >= 4.4.2 < 4.4.2.1231"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
build_20170517
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
build_20190322
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
build_20190730
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
build_20190921
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 4.2.6
Search vendor "Qnap" for product "Qts" and version "4.2.6"
build_20191107
Affected