QSA-21-51,QSA-21-52

CVE-2021-38685 CVE-2021-38686
2025-06-10 02:04:31 +00:00 · 2021-11-26 21:58:46 +08:00 · 2021-11-26 21:58:46 +08:00 · 590c1ba6b2
commit 590c1ba6b2
parent 5779810479
2 changed files with 174 additions and 12 deletions
--- a/2021/38xxx/CVE-2021-38685.json
+++ b/2021/38xxx/CVE-2021-38685.json
@ -1,18 +1,99 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security@qnap.com",
+        "DATE_PUBLIC": "2021-11-26T09:48:00.000Z",
        "ID": "CVE-2021-38685",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Command Injection Vulnerability in VioStor"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "QVR",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_affected": "<",
+                                            "version_value": "QVR FW 5.1.6 build 20211109"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "QNAP Systems Inc."
+                }
+            ]
+        }
+    },
+    "credit": [
+        {
+            "lang": "eng",
+            "value": "JPCERT/CC"
+        }
+    ],
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands.\nWe have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later\n"
            }
        ]
+    },
+    "generator": {
+        "engine": "Vulnogram 0.0.9"
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.8,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-78 OS Command Injection"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "CONFIRM",
+                "url": "https://www.qnap.com/en/security-advisory/qsa-21-51"
+            }
+        ]
+    },
+    "solution": [
+        {
+            "lang": "eng",
+            "value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later\n"
+        }
+    ],
+    "source": {
+        "advisory": "QSA-21-51",
+        "discovery": "EXTERNAL"
    }
 }
--- a/2021/38xxx/CVE-2021-38686.json
+++ b/2021/38xxx/CVE-2021-38686.json
@ -1,18 +1,99 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security@qnap.com",
+        "DATE_PUBLIC": "2021-11-26T09:47:00.000Z",
        "ID": "CVE-2021-38686",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Improper Authentication Vulnerability in VioStor"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "QVR",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_affected": "<",
+                                            "version_value": "QVR FW 5.1.6 build 20211109"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "QNAP Systems Inc."
+                }
+            ]
+        }
+    },
+    "credit": [
+        {
+            "lang": "eng",
+            "value": "JPCERT/CC"
+        }
+    ],
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system.\nWe have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later\n"
            }
        ]
+    },
+    "generator": {
+        "engine": "Vulnogram 0.0.9"
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "HIGH",
+            "baseScore": 8.8,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-287 Improper Authentication"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "CONFIRM",
+                "url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
+            }
+        ]
+    },
+    "solution": [
+        {
+            "lang": "eng",
+            "value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later\n"
+        }
+    ],
+    "source": {
+        "advisory": "QSA-21-52",
+        "discovery": "EXTERNAL"
    }
 }