CVE-2019-7198

Summary

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later

Affected Software

VendorProductVersion RangeStatus
QNAP Systems Inc.QTS< 4.5.1.1456affected
QNAP Systems Inc.QTS< 4.4.3.1354affected
QNAP Systems Inc.QuTS hero< h4.5.1.1472affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-78: CWE-78 OS Command Injection

ADP Enrichment

CVE Program Container

Additional References

References