Vulnerability Details : CVE-2023-32967
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network.
QTS 5.x, QuTS hero are not affected.
We have already fixed the vulnerability in the following versions:
QuTScloud c5.1.5.2651 and later
QTS 4.5.4.2627 build 20231225 and later
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-32967
- cpe:2.3:o:qnap:qts:4.5.4.1715:build_20210630:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1723:build_20210708:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1741:build_20210726:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1787:build_20210910:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1800:build_20210923:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1892:build_20211223:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1931:build_20220128:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2012:build_20220419:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2117:build_20220802:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2280:build_20230112:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2374:build_20230416:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2627:-:*:*:*:*:*:*
- cpe:2.3:o:qnap:qutscloud:c5.1.0.2498:build_20230822:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-32967
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-32967
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | 2024-02-08 |
5.0
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
3.1
|
1.4
|
QNAP Systems, Inc. | 2024-02-02 |
CWE ids for CVE-2023-32967
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security@qnapsecurity.com.tw (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by:
- nvd@nist.gov (Primary)
- security@qnapsecurity.com.tw (Secondary)
References for CVE-2023-32967
-
https://www.qnap.com/en/security-advisory/qsa-24-01
Vulnerability in QTS and QuTScloud - Security Advisory | QNAPVendor Advisory
Jump to