CVE-2021-44052 vulnerability in QNAP Products
Published on May 5, 2022
Arbitrary file read
An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Vulnerability Analysis
CVE-2021-44052 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an insecure temporary file Vulnerability?
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CVE-2021-44052 has been classified to as an insecure temporary file vulnerability or weakness.
Products Associated with CVE-2021-44052
Want to know whenever a new CVE is published for QNAP products? stack.watch will email you.
Affected Versions
QNAP Systems Inc. QuTScloud:- Version unspecified and below c5.0.1.1998 is affected.
- Version unspecified and below h4.5.4.1971 build 20220310 is affected.
- Version unspecified and below h5.0.0.1986 build 20220324 is affected.
- Version unspecified and below 4.3.4.1976 build 20220303 is affected.
- Version unspecified and below 4.3.3.1945 build 20220303 is affected.
- Version unspecified and below 4.2.6 build 20220304 is affected.
- Version unspecified and below 4.3.6.1965 build 20220302 is affected.
- Version unspecified and below 5.0.0.1986 build 20220324 is affected.
- Version unspecified and below 4.5.4.1991 build 20220329 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.