Strix
26.1K

CVE-2023-23369

CRITICALCVSS 9.8/10EPSS 14.41%

Last modified

CVE-2023-23369 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later . EPSS estimates a 14.41% chance of exploitation in the next 30 days.

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
14.41%

96.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
QnapQts5.1.0.2348Build 20230325
QnapQts4.3.6.0895Build 20190328
QnapQts4.3.6.0907Build 20190409
QnapQts4.3.6.0923Build 20190425
QnapQts4.3.6.0944Build 20190516
QnapQts4.3.6.0959Build 20190531
QnapQts4.3.6.0979Build 20190620
QnapQts4.3.6.0993Build 20190704
QnapQts4.3.6.1013Build 20190724
QnapQts4.3.6.1033Build 20190813
QnapQts4.3.6.1070Build 20190919
QnapQts4.3.6.1154Build 20191212
QnapQts4.3.6.1218Build 20200214
QnapQts4.3.6.1263Build 20200330
QnapQts4.3.6.1286Build 20200422
QnapQts4.3.6.1333Build 20200608
QnapQts4.3.6.1411Build 20200825
QnapQts4.3.6.1446Build 20200929
QnapQts4.3.6.1620Build 20210322
QnapQts4.3.6.1663Build 20210504
QnapQts4.3.6.1711Build 20210621
QnapQts4.3.6.1750Build 20210730
QnapQts4.3.6.1831Build 20211019
QnapQts4.3.6.1907Build 20220103
QnapQts4.3.6.1965Build 20220302
QnapQts4.3.6.2050Build 20220526
QnapQts4.3.6.2232Build 20221124
QnapQts4.3.4.0899Build 20190322
QnapQts4.3.4.1029Build 20190730
QnapQts4.3.4.1082Build 20190921
QnapQts4.3.4.1190Build 20200107
QnapQts4.3.4.1282Build 20200408
QnapQts4.3.4.1368Build 20200703
QnapQts4.3.4.1417Build 20200821
QnapQts4.3.4.1463Build 20201006
QnapQts4.3.4.1632Build 20210324
QnapQts4.3.4.1652Build 20210413
QnapQts4.3.4.1976Build 20220303
QnapQts4.3.4.2107Build 20220712
QnapQts4.3.4.2242Build 20221124
QnapQts4.3.3.0174Build 20170503
QnapQts4.3.3.0868Build 20190322
QnapQts4.3.3.0998Build 20190730
QnapQts4.3.3.1051Build 20190921
QnapQts4.3.3.1098Build 20191107
QnapQts4.3.3.1161Build 20200109
QnapQts4.3.3.1252Build 20200409
QnapQts4.3.3.1315Build 20200611
QnapQts4.3.3.1386Build 20200821
QnapQts4.3.3.1432Build 20201006

Showing 50 of 78 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-23369?
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later
How severe is CVE-2023-23369?
CVE-2023-23369 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 14.41% probability of exploitation in the next 30 days.
How do I fix CVE-2023-23369?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-23369?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST