CVE-2024-21900 - Vulnerability Details - OpenCVE

An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.08842.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Qnap	Qts Quts Hero Qutscloud

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts:5.1.3.2578:-::::::
	cpe:2.3:o:qnap:quts_hero::::::::
	cpe:2.3:o:qnap:quts_hero:h5.1.3.2578:-::::::
	cpe:2.3:o:qnap:qutscloud::::::::

No data.

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-24-09

History

Wed, 17 Dec 2025 05:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'No', 'Exploitation': 'None', 'Technical Impact': 'Partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:qnap:qts:5.1.x:::::::* cpe:2.3:o:qnap:quts_hero:-:::::::* cpe:2.3:o:qnap:qutscloud:-:::::::*
Metrics		ssvc `{'options': {'Automatable': 'No', 'Exploitation': 'None', 'Technical Impact': 'Partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2024-03-08T16:17:29.628Z

Updated: 2025-12-16T18:13:18.660Z

Reserved: 2024-01-03T02:31:17.843Z

Link: CVE-2024-21900

Vulnrichment

Updated: 2024-08-01T22:35:34.489Z

NVD

Status : Modified

Published: 2024-03-08T17:15:22.793

Modified: 2024-11-21T08:55:13.737

Link: CVE-2024-21900

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-21900", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2024-01-03T02:31:17.843Z", "datePublished": "2024-03-08T16:17:29.628Z", "dateUpdated": "2025-12-16T18:13:18.660Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.1.3.2578 build 20231110", "status": "affected", "version": "5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.1.3.2578 build 20231110", "status": "affected", "version": "h5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTScloud", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "c5.1.5.2651", "status": "affected", "version": "c5.x.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "ZDI-CAN-22493/22494 : DEVCORE"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>"}], "value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}], "impacts": [{"capecId": "CAPEC-64", "descriptions": [{"lang": "en", "value": "CAPEC-64"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-03-08T16:17:29.628Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}], "source": {"advisory": "QSA-24-09", "discovery": "EXTERNAL"}, "title": "QTS, QuTS hero, QuTScloud", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21900", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T04:00:37.139688Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qnap:qts:5.1.x:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qts", "versions": [{"status": "affected", "version": "5.1.x", "lessThan": "5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:quts_hero:-:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "quts_hero", "versions": [{"status": "affected", "version": "h5.1.x", "lessThan": "h5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qutscloud", "versions": [{"status": "affected", "version": "c5.x.x", "lessThan": "c5.1.5.2651", "versionType": "custom"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T18:13:18.660Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.489Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-09", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-09", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.489Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21900", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T04:00:37.139688Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:qnap:qts:5.1.x:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qts", "versions": [{"status": "affected", "version": "5.1.x", "lessThan": "5.1.3.2578 build 20231110 ", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:quts_hero:-:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "quts_hero", "versions": [{"status": "affected", "version": "h5.1.x", "lessThan": "h5.1.3.2578 build 20231110 ", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qutscloud", "versions": [{"status": "affected", "version": "c5.x.x", "lessThan": "c5.1.5.2651 ", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-21T15:17:23.672Z"}}], "cna": {"title": "QTS, QuTS hero, QuTScloud", "source": {"advisory": "QSA-24-09", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "ZDI-CAN-22493/22494 : DEVCORE"}], "impacts": [{"capecId": "CAPEC-64", "descriptions": [{"lang": "en", "value": "CAPEC-64"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QTS", "versions": [{"status": "affected", "version": "5.1.x", "lessThan": "5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTS hero", "versions": [{"status": "affected", "version": "h5.1.x", "lessThan": "h5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTScloud", "versions": [{"status": "affected", "version": "c5.x.x", "lessThan": "c5.1.5.2651", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", "supportingMedia": [{"type": "text/html", "value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-03-08T16:17:29.628Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21900", "state": "PUBLISHED", "dateUpdated": "2025-12-16T18:13:18.660Z", "dateReserved": "2024-01-03T02:31:17.843Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2024-03-08T16:17:29.628Z", "assignerShortName": "qnap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5C86981-E711-447D-8976-FD2B94525739", "versionEndExcluding": "5.1.3.2578", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qts:5.1.3.2578:-:*:*:*:*:*:*", "matchCriteriaId": "34ACC24E-E1E8-4014-8DF7-9A85F3D45FF1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "69500DDF-CBAB-4C7B-AA2E-61F580F0E361", "versionEndExcluding": "h5.1.3.2578", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:h5.1.3.2578:-:*:*:*:*:*:*", "matchCriteriaId": "53222633-E4D8-453D-9A0E-E170CC163D0B", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "F240677F-D84E-464E-B612-B583EE3D877F", "versionEndExcluding": "c5.1.5.2651", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad de inyecci\u00f3n afecta a varias versiones del sistema operativo QNAP. Si se explota, la vulnerabilidad podr\u00eda permitir a los usuarios autenticados ejecutar comandos a trav\u00e9s de una red. El fabricante ha solucionado la vulnerabilidad en las siguientes versiones: QTS 5.1.3.2578 build 20231110 y posteriores QuTS hero h5.1.3.2578 build 20231110 y posteriores QuTScloud c5.1.5.2651 y posteriores"}], "id": "CVE-2024-21900", "lastModified": "2024-11-21T08:55:13.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-08T17:15:22.793", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-09"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}