[Japanese]
|
JVNDB-2014-000126
|
QNAP QTS vulnerable to OS command injection
|
QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a flaw in the GNU Bash shell, which may result in an OS command injection vulnerability (CWE-78).
Yuuki Wakisaka of University of Electro-Communications reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 10.0 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
|
|
QNAP Systems
- QNAP QTS 4.1.1 Build 0927 and earlier
|
|
A malicious attacker may be able to execute arbitrary command at the privilege level of the calling application.
|
[Update the Firmware]
Update to the latest version of firmware according to the information provided by the developer.
|
QNAP Systems
Apple Inc.
Hitachi, Ltd
|
- OS Command Injection(CWE-78) [IPA Evaluation]
|
- CVE-2014-7169
- CVE-2014-6271
- CVE-2014-6277
- CVE-2014-6278
- CVE-2014-7186
- CVE-2014-7187
|
- JVN : JVN#55667175
- JVN : JVNVU#97219505 (in Japanese)
- JVN : JVNVU#97220341
- JVN iPedia : JVNDB-2014-004399 (in Japanese)
- JVN iPedia : JVNDB-2014-004410 (in Japanese)
- JVN iPedia : JVNDB-2014-004431 (in Japanese)
- JVN iPedia : JVNDB-2014-004476 (in Japanese)
- JVN iPedia : JVNDB-2014-004432 (in Japanese)
- JVN iPedia : JVNDB-2014-004433 (in Japanese)
- National Vulnerability Database (NVD) : CVE-2014-7169
- National Vulnerability Database (NVD) : CVE-2014-6271
- National Vulnerability Database (NVD) : CVE-2014-6277
- National Vulnerability Database (NVD) : CVE-2014-6278
- National Vulnerability Database (NVD) : CVE-2014-7186
- National Vulnerability Database (NVD) : CVE-2014-7187
- US-CERT Vulnerability Note : VU#252743 GNU Bash shell executes commands in environment variables
- ICS-CERT ADVISORY : ICSA-15-344-01
- ICS-CERT ADVISORY : ICSA-14-269-01A
|
- [2014/10/28]
Web page was published
[2014/10/30]
Affected Products : Product version was modified
Vendor Information : Content was modified
CVE : CVE-IDs were added
References : Contents were added
[2015/10/06]
Vendor Information : Content was modified
References : Content was added
[2015/12/22]
References : Content was added
[2015/12/25]
Vendor Information : Contents were added
- [2024/07/18]
References : Content was added
|