CVE-2023-34980 - Vulnerability Details - OpenCVE

ReportizFlow

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2627 build 20231225 and later QuTS hero h4.5.4.2626 build 20231225 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qts Quts Hero

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts:4.5.4.2627:-::::::
	cpe:2.3:o:qnap:quts_hero::::::::
	cpe:2.3:o:qnap:quts_hero:h4.5.4.2626:-::::::

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-24-12

History

Wed, 10 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qnap Qnap qts Qnap quts Hero
CPEs		cpe:2.3:o:qnap:qts:::::::: cpe:2.3:o:qnap:qts:4.5.4.2627:-:::::: cpe:2.3:o:qnap:quts_hero:::::::: cpe:2.3:o:qnap:quts_hero:h4.5.4.2626:-::::::
Vendors & Products		Qnap Qnap qts Qnap quts Hero

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2024-03-08T16:16:00.564Z

Updated: 2024-09-06T17:42:06.996Z

Reserved: 2023-06-08T08:26:04.295Z

Link: CVE-2023-34980

Vulnrichment

Updated: 2024-08-02T16:17:04.165Z

NVD

Status : Analyzed

Published: 2024-03-08T17:15:22.117

Modified: 2025-12-10T22:11:49.473

Link: CVE-2023-34980

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34980", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2023-06-08T08:26:04.295Z", "datePublished": "2024-03-08T16:16:00.564Z", "dateUpdated": "2024-09-06T17:42:06.996Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "4.5.4.2627 build 20231225", "status": "affected", "version": "4.5.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h4.5.4.2626 build 20231225", "status": "affected", "version": "h4.5.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tyaoo\u30010x14"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 4.5.4.2627 build 20231225 and later<br>QuTS hero h4.5.4.2626 build 20231225 and later<br>"}], "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-03-08T16:16:00.564Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-12"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 4.5.4.2627 build 20231225 and later<br>QuTS hero h4.5.4.2626 build 20231225 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n"}], "source": {"advisory": "QSA-24-12", "discovery": "EXTERNAL"}, "title": "QTS, QuTS hero", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:17:04.165Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-12", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "qnap", "product": "qts", "cpes": ["cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.5.0", "status": "affected", "lessThan": "4.5.4.2627_build 20231225", "versionType": "custom"}]}, {"vendor": "qnap", "product": "quts_hero", "cpes": ["cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "h4.5", "status": "affected", "lessThan": "h4.5.4.2626_build 20231225", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-12T18:15:12.889402Z", "id": "CVE-2023-34980", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:42:06.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-12", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:17:04.165Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-12T18:15:12.889402Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qts", "versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.4.2627_build 20231225", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "quts_hero", "versions": [{"status": "affected", "version": "h4.5", "lessThan": "h4.5.4.2626_build 20231225", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:37:30.955Z"}}], "cna": {"title": "QTS, QuTS hero", "source": {"advisory": "QSA-24-12", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tyaoo\u30010x14"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QTS", "versions": [{"status": "affected", "version": "4.5.x", "lessThan": "4.5.4.2627 build 20231225", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTS hero", "versions": [{"status": "affected", "version": "h4.5.x", "lessThan": "h4.5.4.2626 build 20231225", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 4.5.4.2627 build 20231225 and later<br>QuTS hero h4.5.4.2626 build 20231225 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-12"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n", "supportingMedia": [{"type": "text/html", "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 4.5.4.2627 build 20231225 and later<br>QuTS hero h4.5.4.2626 build 20231225 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-03-08T16:16:00.564Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34980", "state": "PUBLISHED", "dateUpdated": "2024-09-06T17:42:06.996Z", "dateReserved": "2023-06-08T08:26:04.295Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2024-03-08T16:16:00.564Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "E634DC87-6347-4CB8-8C61-E5E47F56CA13", "versionEndExcluding": "4.5.4.2627", "versionStartIncluding": "4.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qts:4.5.4.2627:-:*:*:*:*:*:*", "matchCriteriaId": "320AEB7E-E07B-42AE-8F71-795A516BA5EA", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B689688-0791-4DD8-930C-45AD2AFBCC70", "versionEndExcluding": "h4.5.4.2626", "versionStartIncluding": "h4.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:h4.5.4.2626:-:*:*:*:*:*:*", "matchCriteriaId": "4CFA8519-D4C0-4ADC-A06B-7694943B06E7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo afecta a varias versiones del sistema operativo QNAP. Si se explota, la vulnerabilidad podr\u00eda permitir a los administradores autenticados ejecutar comandos a trav\u00e9s de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: QTS 4.5.4.2627 compilaci\u00f3n 20231225 y posteriores QuTS hero h4.5.4.2626 compilaci\u00f3n 20231225 y posteriores"}], "id": "CVE-2023-34980", "lastModified": "2025-12-10T22:11:49.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 3.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-03-08T17:15:22.117", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-12"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "[email protected]", "type": "Secondary"}]}