Vulnerability-Lookup

GHSA-V5XC-JMCQ-C9FM

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14

Details

A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-28813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-798",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-10T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later",
  "id": "GHSA-v5xc-jmcq-c9fm",
  "modified": "2022-05-24T19:14:13Z",
  "published": "2022-05-24T19:14:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28813"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-28813 (GCVE-0-2021-28813)

Vulnerability from cvelistv5 – Published: 2021-09-10 04:00 – Updated: 2024-09-17 00:21

Title

Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch

Summary

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CWE

Assigner

qnap

References

1 reference

URL	Tags
https://www.qnap.com/en/security-advisory/qsa-21-37	x_refsource_MISC

Impacted products

4 products

Vendor	Product	Version
QNAP Systems Inc.	QSW-M2116P-2T2S	Affected: unspecified , < 1.0.6 build 210713 (custom)
QNAP Systems Inc.	QuNetSwitch	Affected: unspecified , < 1.0.6.1509 (custom)
QNAP Systems Inc.	QuNetSwitch	Affected: unspecified , < 1.0.6.1509 (custom)
QNAP Systems Inc.	QuNetSwitch	Affected: unspecified , < 1.0.6.1519 (custom)

Date Public

2021-09-09 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:55:11.731Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "QSW-M2116P-2T2S",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "1.0.6 build 210713",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QGD-1600P"
          ],
          "product": "QuNetSwitch",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "1.0.6.1509",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QGD-1602P"
          ],
          "product": "QuNetSwitch",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "1.0.6.1509",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "QGD-3014PT"
          ],
          "product": "QuNetSwitch",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "1.0.6.1519",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-09-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-259",
              "description": "CWE-259",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-10T04:00:19.000Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "We have already fixed this vulnerability in the following versions of QSW-M2116P-2T2S, QuNetSwitch:\nQSW-M2116P-2T2S 1.0.6 build 210713 and later\nQGD-1600P: QuNetSwitch 1.0.6.1509 and later\nQGD-1602P: QuNetSwitch 1.0.6.1509 and later\nQGD-3014PT: QuNetSwitch 1.0.6.1519 and later"
        }
      ],
      "source": {
        "advisory": "QSA-21-37",
        "discovery": "EXTERNAL"
      },
      "title": "Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@qnap.com",
          "DATE_PUBLIC": "2021-09-09T16:54:00.000Z",
          "ID": "CVE-2021-28813",
          "STATE": "PUBLIC",
          "TITLE": "Insufficiently Protected Credentials Vulnerability in QSW-M2116P-2T2S and QuNetSwitch"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "QSW-M2116P-2T2S",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "1.0.6 build 210713"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "QuNetSwitch",
                      "version": {
                        "version_data": [
                          {
                            "platform": "QGD-1600P",
                            "version_affected": "\u003c",
                            "version_value": "1.0.6.1509"
                          },
                          {
                            "platform": "QGD-1602P",
                            "version_affected": "\u003c",
                            "version_value": "1.0.6.1509"
                          },
                          {
                            "platform": "QGD-3014PT",
                            "version_affected": "\u003c",
                            "version_value": "1.0.6.1519"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "QNAP Systems Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability involving insecure storage of sensitive information has been reported to affect QSW-M2116P-2T2S and QNAP switches running QuNetSwitch. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism.We have already fixed this vulnerability in the following versions: QSW-M2116P-2T2S 1.0.6 build 210713 and later QGD-1600P: QuNetSwitch 1.0.6.1509 and later QGD-1602P: QuNetSwitch 1.0.6.1509 and later QGD-3014PT: QuNetSwitch 1.0.6.1519 and later"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-259"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-798"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.qnap.com/en/security-advisory/qsa-21-37",
              "refsource": "MISC",
              "url": "https://www.qnap.com/en/security-advisory/qsa-21-37"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "We have already fixed this vulnerability in the following versions of QSW-M2116P-2T2S, QuNetSwitch:\nQSW-M2116P-2T2S 1.0.6 build 210713 and later\nQGD-1600P: QuNetSwitch 1.0.6.1509 and later\nQGD-1602P: QuNetSwitch 1.0.6.1509 and later\nQGD-3014PT: QuNetSwitch 1.0.6.1519 and later"
          }
        ],
        "source": {
          "advisory": "QSA-21-37",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2021-28813",
    "datePublished": "2021-09-10T04:00:20.068Z",
    "dateReserved": "2021-03-18T00:00:00.000Z",
    "dateUpdated": "2024-09-17T00:21:02.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-V5XC-JMCQ-C9FM

CVE-2021-28813 (GCVE-0-2021-28813)

Tags

Sightings

Nomenclature