CVE-2022-27597

QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)

CVSS 2.7 LOWEPSS 0.7%CWE-125 CWE-1295 CWE-489

In short

A flaw in QNAP operating systems allows authenticated administrators to read sensitive data they shouldn't access due to improper memory handling. This could expose secrets like passwords or keys stored in the system.

Technical detail

Out-of-bounds read vulnerability (CWE-125) in QNAP QTS, QuTS hero, QuTScloud, and QVP platforms affecting memory access controls. Requires prior authentication with administrator privileges; exploitation enables unauthorized disclosure of secret values through memory boundary violation.

Summary generated and translated by AI from the official description.

A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Affected products

QNAP Systems Inc. · QTS QNAP Systems Inc. · QuTS hero

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.qnap.com/en/security-advisory/qsa-23-06