What are you looking for ?
Advertise with us
RAIDON

Qnap Security Advisory Bulletin ID: QSA-20-21 ~ QSA-20-23 Affecting NAS

Concerning improper limitation of pathname to restricted directory in QTS, cleartext transmission of sensitive information in SNMP, and cleartext storage of sensitive information in cookies

Qnap Systems, Inc. had published security enhancement vs. security vulnerabilities that could affect specific versions of products.

Following information and solutions to correct the security issues and vulnerabilities:

Advisory includes following:

Improper Limitation of Pathname to Restricted Directory in QTS
Security ID: QSA-20-21
Release date: December 30, 2020
Severity: High
CVE identifier: CVE-2018-19945
Affected products: Certain Q
nap NAS

Summary
A vulnerability has been reported to affect earlier Q
nap devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited.

We have already fixed this vulnerability in the following versions:

  • QTS 4.3.6.0895 build 20190328 (and later)

  • QTS 4.3.4.0899 build 20190322 (and later)

This issue does not affect QTS 4.4.x or QTS 4.5.x.

Link for information

Cleartext Transmission of Sensitive Information in SNMP
Security ID: QSA-20-22
Release date: December 30, 2020
Severity: Medium
CVE identifier: CVE-2018-19944
Affected products: Certain Q
nap NAS

Summary
A vulnerability has been reported to affect Q
nap devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information during cleartext transmission.

We have already fixed this vulnerability in the following versions:

  • QTS 4.4.3.1354 build 20200702 (and later)

Link for information

Cleartext Storage of Sensitive Information in Cookies
Security ID: QSA-20-23
Release date: December 30, 2020
Severity: Medium
CVE identifier: CVE-2018-19941
Affected products: All
Qnap NAS

Summary
A vulnerability has been reported to affect Qnap NAS. If exploited, this vulnerability allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools.

We have already fixed this vulnerability in the following versions:

  • QTS 4.5.1.1456 build 20201015 (and later)

  • QuTS hero h4.5.1.1472 build 20201031 (and later)

  • QuTScloud c4.5.2.1379 build 20200730 (and later)

Link for information

Questions regarding this issue: contact

Read also :
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E