CVE-2023-39300

QTS

Description

An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later

Remediation

Solution:

We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later

References

Link	Tags
https://www.qnap.com/en/security-advisory/qsa-24-26	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-39300?: CVE-2023-39300 has been scored as a high severity vulnerability.
How to fix CVE-2023-39300?: To fix CVE-2023-39300: We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later
Is CVE-2023-39300 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-39300 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-39300?: CVE-2023-39300 affects QNAP Systems Inc. QTS, QNAP Systems Inc. QTS, QNAP Systems Inc. QuTS hero, QNAP Systems Inc. QuTScloud.

Description

Remediation

Category

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions