Main Vulnerability Database Vulnerabilities #VU13396

#VU13396 Command injection in QNAP QTS - CVE-2018-0712

Published: June 20, 2018 / Updated: June 20, 2018

Vulnerability identifier: #VU13396

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-0712

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
QNAP QTS

Software vendor:
QNAP Systems, Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to a command inject flaw in the LDAP Server. A remote unauthenticated attacker can send specially crafted data to inject and execute arbitrary commands with elevated privileges.

Remediation

The vulnerability is addressed in the versions 4.2.6 build 20180504, 4.3.3 build 20180504, 4.3.4 build 20180501.

External links

https://www.qnap.com/en/security-advisory/nas-201806-19

#VU13396 Command injection in QNAP QTS - CVE-2018-0712

Description

Remediation

External links

Please verify you're human