CVE-2020-2509
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
-
*SSVC
Descriptions
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later
Se ha reportado una vulnerabilidad de inyección de comando que afecta a QTS y a QuTS hero. Si se explota, esta vulnerabilidad permite a atacantes ejecutar comandos arbitrarios en una aplicación comprometida. Ya hemos corregido esta vulnerabilidad en las siguientes versiones: QTS versiones 4.5.2.1566 Build 20210202 y posteriores. QTS versiones 4.5.1.1495 Build 20201123 y posteriores. QTS versiones 4.3.6.1620 Build 20210322 y posteriores QTS versiones 4.3.4.1632 Build 20210324 y posteriores QTS versiones 4.3.3.1624 Build 20210416 y posteriores. QTS versiones 4.2.6 Build 20210327 y posteriores. QuTS hero versiones h4.5.1.1491 build 20201119 y posteriores
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
*Credits:
Omri Mallis, Yaniv Puyeski
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-12-09 CVE Reserved
- 2021-04-17 CVE Published
- 2022-04-11 Exploited in Wild
- 2022-05-02 KEV Due Date
- 2024-09-16 CVE Updated
- 2024-11-12 EPSS Updated
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.qnap.com/en/security-advisory/qsa-21-05 | 2023-11-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | < 4.2.6 Search vendor "Qnap" for product "Qts" and version " < 4.2.6" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | >= 4.3.5 < 4.3.6 Search vendor "Qnap" for product "Qts" and version " >= 4.3.5 < 4.3.6" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | >= 4.4.0 < 4.5.1 Search vendor "Qnap" for product "Qts" and version " >= 4.4.0 < 4.5.1" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20170517 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20190322 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20190730 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20190921 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20191107 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20200109 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20200421 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20200611 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.2.6 Search vendor "Qnap" for product "Qts" and version "4.2.6" | build_20200821 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.0174 Search vendor "Qnap" for product "Qts" and version "4.3.3.0174" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.0868 Search vendor "Qnap" for product "Qts" and version "4.3.3.0868" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.0998 Search vendor "Qnap" for product "Qts" and version "4.3.3.0998" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1051 Search vendor "Qnap" for product "Qts" and version "4.3.3.1051" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1098 Search vendor "Qnap" for product "Qts" and version "4.3.3.1098" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1161 Search vendor "Qnap" for product "Qts" and version "4.3.3.1161" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1252 Search vendor "Qnap" for product "Qts" and version "4.3.3.1252" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1315 Search vendor "Qnap" for product "Qts" and version "4.3.3.1315" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1386 Search vendor "Qnap" for product "Qts" and version "4.3.3.1386" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.3.1432 Search vendor "Qnap" for product "Qts" and version "4.3.3.1432" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0358 Search vendor "Qnap" for product "Qts" and version "4.3.4.0358" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0358 Search vendor "Qnap" for product "Qts" and version "4.3.4.0358" | beta1 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0370 Search vendor "Qnap" for product "Qts" and version "4.3.4.0370" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0370 Search vendor "Qnap" for product "Qts" and version "4.3.4.0370" | beta1 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0372 Search vendor "Qnap" for product "Qts" and version "4.3.4.0372" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0372 Search vendor "Qnap" for product "Qts" and version "4.3.4.0372" | beta1 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0374 Search vendor "Qnap" for product "Qts" and version "4.3.4.0374" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0374 Search vendor "Qnap" for product "Qts" and version "4.3.4.0374" | beta1 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0387 Search vendor "Qnap" for product "Qts" and version "4.3.4.0387" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0387 Search vendor "Qnap" for product "Qts" and version "4.3.4.0387" | beta2 |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0411 Search vendor "Qnap" for product "Qts" and version "4.3.4.0411" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0416 Search vendor "Qnap" for product "Qts" and version "4.3.4.0416" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0427 Search vendor "Qnap" for product "Qts" and version "4.3.4.0427" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0434 Search vendor "Qnap" for product "Qts" and version "4.3.4.0434" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0435 Search vendor "Qnap" for product "Qts" and version "4.3.4.0435" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0451 Search vendor "Qnap" for product "Qts" and version "4.3.4.0451" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0483 Search vendor "Qnap" for product "Qts" and version "4.3.4.0483" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0486 Search vendor "Qnap" for product "Qts" and version "4.3.4.0486" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0506 Search vendor "Qnap" for product "Qts" and version "4.3.4.0506" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0516 Search vendor "Qnap" for product "Qts" and version "4.3.4.0516" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0526 Search vendor "Qnap" for product "Qts" and version "4.3.4.0526" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0551 Search vendor "Qnap" for product "Qts" and version "4.3.4.0551" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0557 Search vendor "Qnap" for product "Qts" and version "4.3.4.0557" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0561 Search vendor "Qnap" for product "Qts" and version "4.3.4.0561" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0569 Search vendor "Qnap" for product "Qts" and version "4.3.4.0569" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0593 Search vendor "Qnap" for product "Qts" and version "4.3.4.0593" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0597 Search vendor "Qnap" for product "Qts" and version "4.3.4.0597" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0604 Search vendor "Qnap" for product "Qts" and version "4.3.4.0604" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.0899 Search vendor "Qnap" for product "Qts" and version "4.3.4.0899" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1029 Search vendor "Qnap" for product "Qts" and version "4.3.4.1029" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1082 Search vendor "Qnap" for product "Qts" and version "4.3.4.1082" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1190 Search vendor "Qnap" for product "Qts" and version "4.3.4.1190" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1282 Search vendor "Qnap" for product "Qts" and version "4.3.4.1282" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1368 Search vendor "Qnap" for product "Qts" and version "4.3.4.1368" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1417 Search vendor "Qnap" for product "Qts" and version "4.3.4.1417" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.4.1463 Search vendor "Qnap" for product "Qts" and version "4.3.4.1463" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6 Search vendor "Qnap" for product "Qts" and version "4.3.6" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0895 Search vendor "Qnap" for product "Qts" and version "4.3.6.0895" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0907 Search vendor "Qnap" for product "Qts" and version "4.3.6.0907" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0923 Search vendor "Qnap" for product "Qts" and version "4.3.6.0923" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0944 Search vendor "Qnap" for product "Qts" and version "4.3.6.0944" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0959 Search vendor "Qnap" for product "Qts" and version "4.3.6.0959" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0979 Search vendor "Qnap" for product "Qts" and version "4.3.6.0979" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.0993 Search vendor "Qnap" for product "Qts" and version "4.3.6.0993" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1013 Search vendor "Qnap" for product "Qts" and version "4.3.6.1013" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1033 Search vendor "Qnap" for product "Qts" and version "4.3.6.1033" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1070 Search vendor "Qnap" for product "Qts" and version "4.3.6.1070" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1154 Search vendor "Qnap" for product "Qts" and version "4.3.6.1154" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1218 Search vendor "Qnap" for product "Qts" and version "4.3.6.1218" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1263 Search vendor "Qnap" for product "Qts" and version "4.3.6.1263" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1286 Search vendor "Qnap" for product "Qts" and version "4.3.6.1286" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1333 Search vendor "Qnap" for product "Qts" and version "4.3.6.1333" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1411 Search vendor "Qnap" for product "Qts" and version "4.3.6.1411" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.3.6.1446 Search vendor "Qnap" for product "Qts" and version "4.3.6.1446" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.1 Search vendor "Qnap" for product "Qts" and version "4.5.1" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.1.1456 Search vendor "Qnap" for product "Qts" and version "4.5.1.1456" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.1.1461 Search vendor "Qnap" for product "Qts" and version "4.5.1.1461" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.1.1465 Search vendor "Qnap" for product "Qts" and version "4.5.1.1465" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.1.1480 Search vendor "Qnap" for product "Qts" and version "4.5.1.1480" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Qts Search vendor "Qnap" for product "Qts" | 4.5.2 Search vendor "Qnap" for product "Qts" and version "4.5.2" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Quts Hero Search vendor "Qnap" for product "Quts Hero" | < h4.5.1 Search vendor "Qnap" for product "Quts Hero" and version " < h4.5.1" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Quts Hero Search vendor "Qnap" for product "Quts Hero" | h4.5.1 Search vendor "Qnap" for product "Quts Hero" and version "h4.5.1" | - |
Affected
| ||||||
| Qnap Search vendor "Qnap" | Quts Hero Search vendor "Qnap" for product "Quts Hero" | h4.5.1.1472 Search vendor "Qnap" for product "Quts Hero" and version "h4.5.1.1472" | - |
Affected
| ||||||