What is CVE-2018-19949?

CVE-2018-19949 is a command injection vulnerability found in QNAP NAS File Station.

How severe is CVE-2018-19949?

CVE-2018-19949 has a severity rating of 9.8, which is considered critical.

How can CVE-2018-19949 be exploited?

CVE-2018-19949 can be exploited by remote attackers to run arbitrary commands.

Which QTS versions have fixed CVE-2018-19949?

CVE-2018-19949 has been fixed in the following QTS versions: QTS 4.4.2.1231 (build 20200302), QTS 4.4.1.1201 (build 20200130), QTS 4.3.6.1218 (build 20200214), QTS 4.3.4.1190 (build 20200329).

Where can I find more information about CVE-2018-19949?

You can find more information about CVE-2018-19949 and the fix in the QNAP security advisory QSA-20-01.

Vulnerability/
CVE-2018-19949

Exploited

critical

9.8

CWE

77 20 78

28/10/2020

5/8/2024

CVE-2018-19949: QNAP NAS File Station Command Injection Vulnerability

First published: Wed Oct 28 2020(Updated: )

If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

Credit: security@qnapsecurity.com.tw security@qnapsecurity.com.tw

Affected Software	Affected Version	How to fix
QNAP QTS	<4.2.6
QNAP QTS	>=4.3.1.0013<4.3.3.1161
QNAP QTS	>=4.3.4<4.3.4.1190
QNAP QTS	>=4.3.6<4.3.6.1218
QNAP QTS	>=4.4.0<4.4.1.1201
QNAP QTS	>=4.4.2<4.4.2.1231
QNAP QTS	=4.2.6
QNAP QTS	=4.2.6-build_20170517
QNAP QTS	=4.2.6-build_20190322
QNAP QTS	=4.2.6-build_20190730
QNAP QTS	=4.2.6-build_20190921
QNAP QTS	=4.2.6-build_20191107
QNAP Network Attached Storage (NAS)
	<4.2.6
	>=4.3.1.0013<4.3.3.1161
	>=4.3.4<4.3.4.1190
	>=4.3.6<4.3.6.1218
	>=4.4.0<4.4.1.1201
	>=4.4.2<4.4.2.1231
	=4.2.6
	=4.2.6-build_20170517
	=4.2.6-build_20190322
	=4.2.6-build_20190730
	=4.2.6-build_20190921
	=4.2.6-build_20191107

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-19949?
CVE-2018-19949 is a command injection vulnerability found in QNAP NAS File Station.
How severe is CVE-2018-19949?
CVE-2018-19949 has a severity rating of 9.8, which is considered critical.
How can CVE-2018-19949 be exploited?
CVE-2018-19949 can be exploited by remote attackers to run arbitrary commands.
Which QTS versions have fixed CVE-2018-19949?
CVE-2018-19949 has been fixed in the following QTS versions: QTS 4.4.2.1231 (build 20200302), QTS 4.4.1.1201 (build 20200130), QTS 4.3.6.1218 (build 20200214), QTS 4.3.4.1190 (build 20200329).
Where can I find more information about CVE-2018-19949?
You can find more information about CVE-2018-19949 and the fix in the QNAP security advisory QSA-20-01.

collector/nvd-index
agent/type
agent/softwarecombine
agent/description
agent/title
agent/severity
agent/author
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/first-publish-date
exploited/true
ransomware/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup
agent/references
agent/event
agent/tags
collector/nvd-cve
source/NVD
vendor/qnap
canonical/qnap qts
version/qnap qts/4.3.1.0013
version/qnap qts/4.3.4
version/qnap qts/4.3.6
version/qnap qts/4.4.0
version/qnap qts/4.4.2
version/qnap qts/4.2.6
version/qnap qts/4.2.6-build_20170517
version/qnap qts/4.2.6-build_20190322
version/qnap qts/4.2.6-build_20190730
version/qnap qts/4.2.6-build_20190921
version/qnap qts/4.2.6-build_20191107
canonical/qnap network attached storage (nas)