From 6b37e1e1e00038ad64bb25123eab21139ed0db34 Mon Sep 17 00:00:00 2001 From: Stanley S Huang Date: Fri, 8 Sep 2023 10:03:14 +0800 Subject: [PATCH] QSA-23-13, QSA-23-14, QSA-23-16 --- 2023/23xxx/CVE-2023-23354.json | 100 +++++++++++++++++++++++++++++++-- 2023/23xxx/CVE-2023-23356.json | 100 +++++++++++++++++++++++++++++++-- 2023/23xxx/CVE-2023-23357.json | 100 +++++++++++++++++++++++++++++++-- 3 files changed, 282 insertions(+), 18 deletions(-) diff --git a/2023/23xxx/CVE-2023-23354.json b/2023/23xxx/CVE-2023-23354.json index c6f30bfec5f2..d9927a2ccaee 100644 --- a/2023/23xxx/CVE-2023-23354.json +++ b/2023/23xxx/CVE-2023-23354.json @@ -1,18 +1,106 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@qnap.com", "ID": "CVE-2023-23354", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "QuLog Center" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "QuLog Center", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "1.5.0.738 ( 2023/03/06 )" + }, + { + "version_affected": "<", + "version_value": "1.4.1.691 ( 2023/03/01 )" + }, + { + "version_affected": "<", + "version_value": "1.3.1.645 ( 2023/02/22 )" + } + ] + } + } + ] + }, + "vendor_name": "QNAP Systems Inc." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Kaibro" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote remote authenticated users to inject malicious code. \n\nWe have already fixed the vulnerability in the following versions:\nQuLog Center 1.5.0.738 ( 2023/03/06 ) and later\nQuLog Center 1.4.1.691 ( 2023/03/01 ) and later\nQuLog Center 1.3.1.645 ( 2023/02/22 ) and later\n" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 7.3, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79" + } + ] } ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-13" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "We have already fixed the vulnerability in the following versions:\nQuLog Center 1.5.0.738 ( 2023/03/06 ) and later\nQuLog Center 1.4.1.691 ( 2023/03/01 ) and later\nQuLog Center 1.3.1.645 ( 2023/02/22 ) and later\n" + } + ], + "source": { + "advisory": "QSA-23-13", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2023/23xxx/CVE-2023-23356.json b/2023/23xxx/CVE-2023-23356.json index 222dedd7a36b..28c5a5daefce 100644 --- a/2023/23xxx/CVE-2023-23356.json +++ b/2023/23xxx/CVE-2023-23356.json @@ -1,18 +1,106 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@qnap.com", "ID": "CVE-2023-23356", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "QuFirewall" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "QuFirewall", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "2.3.3 ( 2023/03/27 )" + } + ] + } + } + ] + }, + "vendor_name": "QNAP Systems Inc." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Kaibro" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated administrators to execute arbitrary commands via susceptible QNAP devices. The vulnerability affects the following QNAP operating systems:\nQTS, QuTS hero, QuTScloud\n\nWe have already fixed the vulnerability in the following version:\nQuFirewall 2.3.3 ( 2023/03/27 ) and later\n" } ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.5, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-77" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-78" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-14" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "We have already fixed the vulnerability in the following version:\nQuFirewall 2.3.3 ( 2023/03/27 ) and later\n" + } + ], + "source": { + "advisory": "QSA-23-14", + "discovery": "EXTERNAL" } } \ No newline at end of file diff --git a/2023/23xxx/CVE-2023-23357.json b/2023/23xxx/CVE-2023-23357.json index 26f6c9bb3665..ac2473b43b42 100644 --- a/2023/23xxx/CVE-2023-23357.json +++ b/2023/23xxx/CVE-2023-23357.json @@ -1,18 +1,106 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security@qnap.com", "ID": "CVE-2023-23357", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "QTS, QuTS hero, QuTScloud" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "QuLog Center", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "1.5.0.738 ( 2023/03/06 )" + }, + { + "version_affected": "<", + "version_value": "1.4.1.691 ( 2023/03/01 )" + }, + { + "version_affected": "<", + "version_value": "1.3.1.645 ( 2023/02/22 )" + } + ] + } + } + ] + }, + "vendor_name": "QNAP Systems Inc." + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Kaibro" + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote remote authenticated administrators to inject malicious code.\n\nWe have already fixed the vulnerability in the following versions:\nQuLog Center 1.5.0.738 ( 2023/03/06 ) and later\nQuLog Center 1.4.1.691 ( 2023/03/01 ) and later\nQuLog Center 1.3.1.645 ( 2023/02/22 ) and later\n" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79" + } + ] } ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://www.qnap.com/en/security-advisory/qsa-23-16" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "We have already fixed the vulnerability in the following versions:\nQuLog Center 1.5.0.738 ( 2023/03/06 ) and later\nQuLog Center 1.4.1.691 ( 2023/03/01 ) and later\nQuLog Center 1.3.1.645 ( 2023/02/22 ) and later\n" + } + ], + "source": { + "advisory": "QSA-23-16", + "discovery": "EXTERNAL" } } \ No newline at end of file