Vulnerability-Lookup

GHSA-X3WJ-Q2GH-27VC

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05

Details

Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-28815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-16T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4.",
  "id": "GHSA-x3wj-q2gh-27vc",
  "modified": "2022-05-24T19:05:32Z",
  "published": "2022-05-24T19:05:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28815"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-28815 (GCVE-0-2021-28815)

Vulnerability from cvelistv5 – Published: 2021-06-16 04:00 – Updated: 2024-09-17 01:16

Title

Insecure Storage of Sensitive Information in myQNAPcloud Link

Summary

Severity

6 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-922 - Insecure Storage of Sensitive Information

Assigner

qnap

References

1 reference

URL	Tags
https://www.qnap.com/zh-tw/security-advisory/qsa-21-26	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
QNAP Systems Inc.	myQNAPcloud Link	Affected: unspecified , < 2.2.21 (custom)

Date Public

2021-06-16 00:00

Credits

CJ Fairhead

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.489Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "QTS 4.5.3"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QuTS hero h4.5.2"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QuTScloud c4.5.4"
          ],
          "product": "myQNAPcloud Link",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.2.21",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "CJ Fairhead"
        }
      ],
      "datePublic": "2021-06-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-16T04:00:11.000Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "QNAP have already fixed this vulnerability in the following versions of myQNAPcloud Link:\n\nQTS 4.5.3: myQNAPcloud Link 2.2.21 and later\nQuTS hero h4.5.2: myQNAPcloud Link 2.2.21 and later\nQuTScloud c4.5.4: myQNAPcloud Link 2.2.21 and later"
        }
      ],
      "source": {
        "advisory": "QSA-21-26",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Storage of Sensitive Information in myQNAPcloud Link",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@qnap.com",
          "DATE_PUBLIC": "2021-06-16T00:32:00.000Z",
          "ID": "CVE-2021-28815",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Storage of Sensitive Information in myQNAPcloud Link"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "myQNAPcloud Link",
                      "version": {
                        "version_data": [
                          {
                            "platform": "QTS 4.5.3",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          },
                          {
                            "platform": "QuTS hero h4.5.2",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          },
                          {
                            "platform": "QuTScloud c4.5.4",
                            "version_affected": "\u003c",
                            "version_value": "2.2.21"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "QNAP Systems Inc."
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "CJ Fairhead"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-922 Insecure Storage of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26",
              "refsource": "MISC",
              "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "QNAP have already fixed this vulnerability in the following versions of myQNAPcloud Link:\n\nQTS 4.5.3: myQNAPcloud Link 2.2.21 and later\nQuTS hero h4.5.2: myQNAPcloud Link 2.2.21 and later\nQuTScloud c4.5.4: myQNAPcloud Link 2.2.21 and later"
          }
        ],
        "source": {
          "advisory": "QSA-21-26",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2021-28815",
    "datePublished": "2021-06-16T04:00:11.639Z",
    "dateReserved": "2021-03-18T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:16:56.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-X3WJ-Q2GH-27VC

CVE-2021-28815 (GCVE-0-2021-28815)

Tags

Sightings

Nomenclature