Search
Find a vulnerability
Search criteria
4 vulnerabilities found for HBS 3 by QNAP Systems Inc.
CVE-2021-28809 (GCVE-0-2021-28809)
Vulnerability from nvd – Published: 2021-07-08 07:40 – Updated: 2024-09-17 00:36
VLAI
Title
Missing Authentication for Critical Function in RTRR Server in HBS3
Summary
An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later
Severity
9.8 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.qnap.com/en/security-advisory/qsa-21-19 | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210507
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210506
(custom)
|
Date Public
2021-07-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"QTS 4.3.6"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210507",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210506",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.3"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210506",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro\u2019s Zero Day Initiative"
}
],
"datePublic": "2021-07-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T13:06:11.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.3.6: HBS 3 v3.0.210507 and later\nQTS 4.3.4: HBS 3 v3.0.210506 and later\nQTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"source": {
"advisory": "QSA-21-19",
"discovery": "EXTERNAL"
},
"title": "Missing Authentication for Critical Function in RTRR Server\u00a0in HBS3",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-08T15:22:00.000Z",
"ID": "CVE-2021-28809",
"STATE": "PUBLIC",
"TITLE": "Missing Authentication for Critical Function in RTRR Server\u00a0in HBS3"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HBS 3",
"version": {
"version_data": [
{
"platform": "QTS 4.3.6",
"version_affected": "\u003c",
"version_value": "v3.0.210507"
},
{
"platform": "QTS 4.3.4",
"version_affected": "\u003c",
"version_value": "v3.0.210506"
},
{
"platform": "QTS 4.3.3",
"version_affected": "\u003c",
"version_value": "v3.0.210506"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro\u2019s Zero Day Initiative"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-749 Exposed Dangerous Method or Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-19",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.3.6: HBS 3 v3.0.210507 and later\nQTS 4.3.4: HBS 3 v3.0.210506 and later\nQTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"source": {
"advisory": "QSA-21-19",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28809",
"datePublished": "2021-07-08T07:40:12.294Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:36:54.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28799 (GCVE-0-2021-28799)
Vulnerability from nvd – Published: 2021-05-13 02:55 – Updated: 2025-10-21 23:25Title
Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
Summary
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Severity
10 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.qnap.com/en/security-advisory/QSA-21-13 | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v16.0.0415
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210412
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210411
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v16.0.0419
(custom)
|
|
| QNAP Systems Inc. | HBS 2 |
Unaffected:
all versions
|
|
| QNAP Systems Inc. | HBS 1.3 |
Unaffected:
all versions
|
Date Public
2021-04-22 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-28799",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:53:29.275519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-31",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:45.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-31T00:00:00.000Z",
"value": "CVE-2021-28799 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"QTS 4.5.2"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0415",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.6"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210412",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210411",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.3"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210411",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QuTS hero h4.5.1"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0419",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QuTScloud c4.5.1~c4.5.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0419",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "HBS 2",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
},
{
"product": "HBS 1.3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ZUSO ART"
}
],
"datePublic": "2021-04-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T02:55:13.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.5.2: HBS 3 v16.0.0415 and later\nQTS 4.3.6: HBS 3 v3.0.210412 and later\nQTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later\nQuTS hero h4.5.1: HBS 3 v16.0.0419 and later\nQuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later"
}
],
"source": {
"advisory": "QSA-21-13",
"discovery": "EXTERNAL"
},
"title": "Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-04-22T00:54:00.000Z",
"ID": "CVE-2021-28799",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HBS 3",
"version": {
"version_data": [
{
"platform": "QTS 4.5.2",
"version_affected": "\u003c",
"version_value": "v16.0.0415"
},
{
"platform": "QTS 4.3.6",
"version_affected": "\u003c",
"version_value": "v3.0.210412"
},
{
"platform": "QTS 4.3.4",
"version_affected": "\u003c",
"version_value": "v3.0.210411"
},
{
"platform": "QTS 4.3.3",
"version_affected": "\u003c",
"version_value": "v3.0.210411"
},
{
"platform": "QuTS hero h4.5.1",
"version_affected": "\u003c",
"version_value": "v16.0.0419"
},
{
"platform": "QuTScloud c4.5.1~c4.5.4",
"version_affected": "\u003c",
"version_value": "v16.0.0419"
}
]
}
},
{
"product_name": "HBS 2",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "all versions"
}
]
}
},
{
"product_name": "HBS 1.3",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "all versions"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ZUSO ART"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 ."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/QSA-21-13",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.5.2: HBS 3 v16.0.0415 and later\nQTS 4.3.6: HBS 3 v3.0.210412 and later\nQTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later\nQuTS hero h4.5.1: HBS 3 v16.0.0419 and later\nQuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later"
}
],
"source": {
"advisory": "QSA-21-13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28799",
"datePublished": "2021-05-13T02:55:13.827Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:45.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28809 (GCVE-0-2021-28809)
Vulnerability from cvelistv5 – Published: 2021-07-08 07:40 – Updated: 2024-09-17 00:36
VLAI
Title
Missing Authentication for Critical Function in RTRR Server in HBS3
Summary
An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later
Severity
9.8 (Critical)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.qnap.com/en/security-advisory/qsa-21-19 | x_refsource_MISC |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210507
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210506
(custom)
|
Date Public
2021-07-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"QTS 4.3.6"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210507",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210506",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.3"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210506",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro\u2019s Zero Day Initiative"
}
],
"datePublic": "2021-07-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T13:06:11.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.3.6: HBS 3 v3.0.210507 and later\nQTS 4.3.4: HBS 3 v3.0.210506 and later\nQTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"source": {
"advisory": "QSA-21-19",
"discovery": "EXTERNAL"
},
"title": "Missing Authentication for Critical Function in RTRR Server\u00a0in HBS3",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-08T15:22:00.000Z",
"ID": "CVE-2021-28809",
"STATE": "PUBLIC",
"TITLE": "Missing Authentication for Critical Function in RTRR Server\u00a0in HBS3"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HBS 3",
"version": {
"version_data": [
{
"platform": "QTS 4.3.6",
"version_affected": "\u003c",
"version_value": "v3.0.210507"
},
{
"platform": "QTS 4.3.4",
"version_affected": "\u003c",
"version_value": "v3.0.210506"
},
{
"platform": "QTS 4.3.3",
"version_affected": "\u003c",
"version_value": "v3.0.210506"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro\u2019s Zero Day Initiative"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-749 Exposed Dangerous Method or Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-19",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-19"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-783/"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.3.6: HBS 3 v3.0.210507 and later\nQTS 4.3.4: HBS 3 v3.0.210506 and later\nQTS 4.3.3: HBS 3 v3.0.210506 and later"
}
],
"source": {
"advisory": "QSA-21-19",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28809",
"datePublished": "2021-07-08T07:40:12.294Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:36:54.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28799 (GCVE-0-2021-28799)
Vulnerability from cvelistv5 – Published: 2021-05-13 02:55 – Updated: 2025-10-21 23:25Title
Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
Summary
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Severity
10 (Critical)
SSVC
Exploitation: active
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-285 - Improper Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.qnap.com/en/security-advisory/QSA-21-13 | x_refsource_MISC |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v16.0.0415
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210412
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v3.0.210411
(custom)
|
|
| QNAP Systems Inc. | HBS 3 |
Affected:
unspecified , < v16.0.0419
(custom)
|
|
| QNAP Systems Inc. | HBS 2 |
Unaffected:
all versions
|
|
| QNAP Systems Inc. | HBS 1.3 |
Unaffected:
all versions
|
Date Public
2021-04-22 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-28799",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T14:53:29.275519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-31",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:45.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-31T00:00:00.000Z",
"value": "CVE-2021-28799 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"QTS 4.5.2"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0415",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.6"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210412",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210411",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QTS 4.3.3"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v3.0.210411",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QuTS hero h4.5.1"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0419",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"QuTScloud c4.5.1~c4.5.4"
],
"product": "HBS 3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "v16.0.0419",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "HBS 2",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
},
{
"product": "HBS 1.3",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ZUSO ART"
}
],
"datePublic": "2021-04-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T02:55:13.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.5.2: HBS 3 v16.0.0415 and later\nQTS 4.3.6: HBS 3 v3.0.210412 and later\nQTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later\nQuTS hero h4.5.1: HBS 3 v16.0.0419 and later\nQuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later"
}
],
"source": {
"advisory": "QSA-21-13",
"discovery": "EXTERNAL"
},
"title": "Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-04-22T00:54:00.000Z",
"ID": "CVE-2021-28799",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HBS 3",
"version": {
"version_data": [
{
"platform": "QTS 4.5.2",
"version_affected": "\u003c",
"version_value": "v16.0.0415"
},
{
"platform": "QTS 4.3.6",
"version_affected": "\u003c",
"version_value": "v3.0.210412"
},
{
"platform": "QTS 4.3.4",
"version_affected": "\u003c",
"version_value": "v3.0.210411"
},
{
"platform": "QTS 4.3.3",
"version_affected": "\u003c",
"version_value": "v3.0.210411"
},
{
"platform": "QuTS hero h4.5.1",
"version_affected": "\u003c",
"version_value": "v16.0.0419"
},
{
"platform": "QuTScloud c4.5.1~c4.5.4",
"version_affected": "\u003c",
"version_value": "v16.0.0419"
}
]
}
},
{
"product_name": "HBS 2",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "all versions"
}
]
}
},
{
"product_name": "HBS 1.3",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "all versions"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ZUSO ART"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 ."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/QSA-21-13",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/QSA-21-13"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions of HBS 3:\nQTS 4.5.2: HBS 3 v16.0.0415 and later\nQTS 4.3.6: HBS 3 v3.0.210412 and later\nQTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later\nQuTS hero h4.5.1: HBS 3 v16.0.0419 and later\nQuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later"
}
],
"source": {
"advisory": "QSA-21-13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28799",
"datePublished": "2021-05-13T02:55:13.827Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:45.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}