// For flags

CVE-2021-38693

Path Traversal in thttpd

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

Se ha informado de una vulnerabilidad de salto de ruta que afecta a los dispositivos de QNAP que ejecutan QuTScloud, QuTS hero, QTS, QVR Pro Appliance. Si es explotada, esta vulnerabilidad permite a atacantes leer el contenido de archivos no esperados y exponer datos confidenciales. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 y posteriores QuTS hero h5.0.0.1949 build 20220215 y posteriores QuTS hero h4.5.4.1951 build 20220218 y posteriores QTS 5.0.0.1986 build 20220324 y posteriores QTS 4.5.4.1991 build 20220329 y posteriores

*Credits: Giles, Guido and Simas, Iury from Thomson Reuters
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-13 CVE Reserved
  • 2022-05-05 CVE Published
  • 2023-11-26 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://www.qnap.com/en/security-advisory/qsa-22-13 2022-05-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 < 4.5.4.1991
Search vendor "Qnap" for product "Qts" and version " < 4.5.4.1991"
-
Affected
Qnap
Search vendor "Qnap"
 Qts
Search vendor "Qnap" for product "Qts"
 >= 5.0.0.1716 < 5.0.0.1986
Search vendor "Qnap" for product "Qts" and version " >= 5.0.0.1716 < 5.0.0.1986"
-
Affected
Qnap
Search vendor "Qnap"
 Quts Hero
Search vendor "Qnap" for product "Quts Hero"
 >= h5.0.0.1772 < h5.0.0.1949
Search vendor "Qnap" for product "Quts Hero" and version " >= h5.0.0.1772 < h5.0.0.1949"
-
Affected
Qnap
Search vendor "Qnap"
 Qutscloud
Search vendor "Qnap" for product "Qutscloud"
 < c5.0.1.1949
Search vendor "Qnap" for product "Qutscloud" and version " < c5.0.1.1949"
-
Affected