CVE-2024-21905 - Vulnerability Details - OpenCVE

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qts Quts Hero Qutscloud

Configuration 1 [-]

OR	cpe:2.3:o:qnap:qts::::::::
	cpe:2.3:o:qnap:qts:5.1.3.2578:-::::::
	cpe:2.3:o:qnap:quts_hero::::::::
	cpe:2.3:o:qnap:quts_hero:h5.1.3.2578:-::::::
	cpe:2.3:o:qnap:qutscloud::::::::

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-24-16

History

Fri, 05 Dec 2025 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qnap Qnap qts Qnap quts Hero Qnap qutscloud
CPEs		cpe:2.3:o:qnap:qts:::::::: cpe:2.3:o:qnap:qts:5.1.3.2578:-:::::: cpe:2.3:o:qnap:quts_hero:::::::: cpe:2.3:o:qnap:quts_hero:h5.1.3.2578:-:::::: cpe:2.3:o:qnap:qutscloud::::::::
Vendors & Products		Qnap Qnap qts Qnap quts Hero Qnap qutscloud

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2024-04-26T15:01:00.169Z

Updated: 2024-08-12T19:31:28.640Z

Reserved: 2024-01-03T02:31:17.844Z

Link: CVE-2024-21905

Vulnrichment

Updated: 2024-08-01T22:35:34.830Z

NVD

Status : Analyzed

Published: 2024-04-26T15:15:48.313

Modified: 2025-12-05T21:31:00.247

Link: CVE-2024-21905

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21905", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2024-01-03T02:31:17.844Z", "datePublished": "2024-04-26T15:01:00.169Z", "dateUpdated": "2024-08-12T19:31:28.640Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "QTS", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.1.3.2578 build 20231110", "status": "affected", "version": "5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTS hero", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "h5.1.3.2578 build 20231110", "status": "affected", "version": "h5.1.x", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "QuTScloud", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "c5.1.5.2651", "status": "affected", "version": "c5.x.x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>"}], "value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}], "impacts": [{"capecId": "CAPEC-92", "descriptions": [{"lang": "en", "value": "CAPEC-92"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-04-26T15:01:00.169Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-16"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}], "source": {"advisory": "QSA-24-16", "discovery": "EXTERNAL"}, "title": "QTS, QuTS hero, QuTScloud", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "qnap", "product": "qts", "cpes": ["cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.1.0", "status": "affected", "lessThan": "5.1.3.2578 build 20231110", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-30T14:20:50.434461Z", "id": "CVE-2024-21905", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T19:31:28.640Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.830Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-16", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-16", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.830Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-30T14:20:50.434461Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"], "vendor": "qnap", "product": "qts", "versions": [{"status": "affected", "version": "5.1.0", "lessThan": "5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-30T14:19:33.663Z"}}], "cna": {"title": "QTS, QuTS hero, QuTScloud", "source": {"advisory": "QSA-24-16", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-92", "descriptions": [{"lang": "en", "value": "CAPEC-92"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QTS", "versions": [{"status": "affected", "version": "5.1.x", "lessThan": "5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTS hero", "versions": [{"status": "affected", "version": "h5.1.x", "lessThan": "h5.1.3.2578 build 20231110", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "QNAP Systems Inc.", "product": "QuTScloud", "versions": [{"status": "affected", "version": "c5.x.x", "lessThan": "c5.1.5.2651", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-16"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n", "supportingMedia": [{"type": "text/html", "value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>QTS 5.1.3.2578 build 20231110 and later<br>QuTS hero h5.1.3.2578 build 20231110 and later<br>QuTScloud c5.1.5.2651 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-04-26T15:01:00.169Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21905", "state": "PUBLISHED", "dateUpdated": "2024-08-12T19:31:28.640Z", "dateReserved": "2024-01-03T02:31:17.844Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2024-04-26T15:01:00.169Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*", "matchCriteriaId": "F834B814-21B8-479A-A9AD-5026F0400826", "versionEndExcluding": "5.1.3.2578", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qts:5.1.3.2578:-:*:*:*:*:*:*", "matchCriteriaId": "34ACC24E-E1E8-4014-8DF7-9A85F3D45FF1", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F0727E2-63D1-476B-B110-AB7E97FD08E6", "versionEndExcluding": "h5.1.3.2578", "versionStartIncluding": "h5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:quts_hero:h5.1.3.2578:-:*:*:*:*:*:*", "matchCriteriaId": "53222633-E4D8-453D-9A0E-E170CC163D0B", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B9BF274-5800-4A1E-A2BE-9E7B62BBF9BC", "versionEndExcluding": "c5.1.5.2651", "versionStartIncluding": "c5.0.0.1919", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"}, {"lang": "es", "value": "Se ha informado que una vulnerabilidad de desbordamiento de enteros o envoltura afecta a varias versiones del sistema operativo QNAP. Si se explota, la vulnerabilidad podr\u00eda permitir a los usuarios comprometer la seguridad del sistema a trav\u00e9s de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: QTS 5.1.3.2578 build 20231110 y posteriores QuTS hero h5.1.3.2578 build 20231110 y posteriores QuTScloud c5.1.5.2651 y posteriores"}], "id": "CVE-2024-21905", "lastModified": "2025-12-05T21:31:00.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-26T15:15:48.313", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-16"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}