CVE-2021-28805

Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.qnap.com/zh-tw/security-advisory/qsa-21-24	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:qnap:qss:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:qnap:qsw-m2108-2c:-:::::::*
	cpe:2.3:h:qnap:qsw-m2108-2s:-:::::::*
	cpe:2.3:h:qnap:qsw-m2108r-2c:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:a:qnap:qss:*:*:*:*:*:*:*:*

cpe:2.3:h:qnap:qsw-m408:-:*:*:*:*:*:*:*

History

23 Jun 2021, 15:44

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 5.5
CWE		CWE-200
CPE		cpe:2.3:h:qnap:qsw-m408:-:::::::* cpe:2.3:h:qnap:qsw-m2108r-2c:-:::::::* cpe:2.3:h:qnap:qsw-m2108-2s:-:::::::* cpe:2.3:h:qnap:qsw-m2108-2c:-:::::::* cpe:2.3:a:qnap:qss::::::::
References	~~(MISC) https://www.qnap.com/zh-tw/security-advisory/qsa-21-24 -~~	(MISC) https://www.qnap.com/zh-tw/security-advisory/qsa-21-24 - Vendor Advisory

11 Jun 2021, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-06-11 07:15

Updated : 2023-12-10 13:55

NVD link : CVE-2021-28805

Mitre link : CVE-2021-28805

CVE.ORG link : CVE-2021-28805

JSON object : View

Products Affected

qnap

qsw-m2108r-2c
qsw-m2108-2s
qsw-m2108-2c
qss
qsw-m408

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-540

Inclusion of Sensitive Information in Source Code

{"id": "CVE-2021-28805", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2021-06-11T07:15:06.593", "references": [{"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-24", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-540"}]}], "descriptions": [{"lang": "en", "value": "Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408."}, {"lang": "es", "value": "Se ha reportado la inclusi\u00f3n de informaci\u00f3n confidencial en el c\u00f3digo fuente que afecta a determinados switches de QNAP que ejecutan QSS. Si es explotada, esta vulnerabilidad permite a atacantes leer datos de la aplicaci\u00f3n. Este problema afecta: QNAP Systems Inc. QSS versiones anteriores a 1.0.3 build 20210505 en QSW-M2108-2C; versiones anteriores a 1.0.3 build 20210505 en QSW-M2108-2S; versiones anteriores a 1.0.3 build 20210505 en QSW-M2108R-2C; versiones anteriores a 1.0.12 build 20210506 en QSW-M408"}], "lastModified": "2022-10-18T21:06:17.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qss:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74B6E008-6B5D-48EB-99B4-DB9BC1120F8E", "versionEndExcluding": "1.0.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qnap:qsw-m2108-2c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A690794E-3F9B-47DA-A365-E8F100C730E2"}, {"criteria": "cpe:2.3:h:qnap:qsw-m2108-2s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "21692724-A864-4CEB-898C-4E6691C403C1"}, {"criteria": "cpe:2.3:h:qnap:qsw-m2108r-2c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "37F5E9FC-2CE2-473F-81C1-676BCCFFBD3D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qss:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D07C936-1C05-4269-8DC9-9AF534B5177B", "versionEndExcluding": "1.0.12"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qnap:qsw-m408:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9D7605B1-0C50-4CF5-81A8-61FE897DA748"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@qnapsecurity.com.tw"}