CVE-2021-28815

Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.qnap.com/zh-tw/security-advisory/qsa-21-26	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:qnap:myqnapcloud_link:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:qnap:qts:4.5.3:-::::::
	cpe:2.3:o:qnap:quts_hero:h4.5.2:-::::::
	cpe:2.3:o:qnap:qutscloud:c4.5.4:-::::::

History

No history.

Information

Published : 2021-06-16 04:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-28815

Mitre link : CVE-2021-28815

CVE.ORG link : CVE-2021-28815

JSON object : View

Products Affected

qnap

qts
myqnapcloud_link
quts_hero
qutscloud

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2021-28815", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.5}]}, "published": "2021-06-16T04:15:08.530", "references": [{"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-26", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link versions prior to 2.2.21 on QTS 4.5.3; versions prior to 2.2.21 on QuTS hero h4.5.2; versions prior to 2.2.21 on QuTScloud c4.5.4."}, {"lang": "es", "value": "Se ha reportado de que el almacenamiento no seguro de informaci\u00f3n confidencial afecta a los NAS de QNAP que ejecutan myQNAPcloud Link. Si es explotado, esta vulnerabilidad permite a atacantes remotos leer informaci\u00f3n confidencial accediendo al mecanismo de almacenamiento sin restricciones. Este problema afecta a: Versiones de myQNAPcloud Link de QNAP Systems Inc. anteriores a 2.2.21 en QTS versiones 4.5.3; versiones anteriores a 2.2.21 en QuTS hero versiones h4.5.2; versiones anteriores a 2.2.21 en QuTScloud versiones c4.5.4"}], "lastModified": "2021-06-23T19:40:49.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:myqnapcloud_link:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FD423D3-82BD-40C5-9023-08A9DD66AACB", "versionEndExcluding": "2.2.21"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.5.3:-:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2F4E5174-441F-4ABA-8D4F-5040E99AEBA0"}, {"criteria": "cpe:2.3:o:qnap:quts_hero:h4.5.2:-:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D8ED5973-0C2C-44ED-8A9C-4669C46F00BA"}, {"criteria": "cpe:2.3:o:qnap:qutscloud:c4.5.4:-:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2E83E97A-D58A-44E2-A2EA-8159836A5AFE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@qnapsecurity.com.tw"}