CVE-2018-14748

Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS.

CVSS v3 7.5 HIGH
CVSS v2.0 7.8 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
https://www.qnap.com/zh-tw/security-advisory/nas-201811-22	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:qnap:qts:4.2.6:::::::*
	cpe:2.3:o:qnap:qts:4.3.3:::::::*
	cpe:2.3:o:qnap:qts:4.3.4:::::::*
	cpe:2.3:o:qnap:qts:4.3.5:::::::*

History

No history.

Information

Published : 2018-11-28 16:29

Updated : 2019-10-03 00:03

NVD link : CVE-2018-14748

Mitre link : CVE-2018-14748

CVE.ORG link : CVE-2018-14748

JSON object : View

Products Affected

qnap

qts

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2018-14748", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2018-11-28T16:29:00.327", "references": [{"url": "https://www.qnap.com/zh-tw/security-advisory/nas-201811-22", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Improper Authorization vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to power off the NAS."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829 y QTS 4.2.6 build 20180829 y sus versiones anteriores podr\u00eda permitir que los atacantes remotos apaguen el NAS."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.2.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D9E6F8F-A433-45A7-8839-5D478FE179A4"}, {"criteria": "cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5994C07-17FE-4784-9FA4-9675BA8B4743"}, {"criteria": "cpe:2.3:o:qnap:qts:4.3.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0C7D2D4-769F-4297-89F4-75366FFA7618"}, {"criteria": "cpe:2.3:o:qnap:qts:4.3.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C7CF3D8-0BB6-410F-84C1-D48764687561"}], "operator": "OR"}]}], "sourceIdentifier": "security@qnapsecurity.com.tw"}