CVE-2024-53693

An improper neutralization of CRLF sequences (CRLF Injection) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify application data.

We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

Weakness

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Affected Software

Name	Vendor	Start Version	End Version
Qts	Qnap	5.2.0.2737-build_20240417 (including)	5.2.0.2737-build_20240417 (including)
Qts	Qnap	5.2.0.2744-build_20240424 (including)	5.2.0.2744-build_20240424 (including)
Qts	Qnap	5.2.0.2782-build_20240601 (including)	5.2.0.2782-build_20240601 (including)
Qts	Qnap	5.2.0.2802-build_20240620 (including)	5.2.0.2802-build_20240620 (including)
Qts	Qnap	5.2.0.2823-build_20240711 (including)	5.2.0.2823-build_20240711 (including)
Qts	Qnap	5.2.0.2851-build_20240808 (including)	5.2.0.2851-build_20240808 (including)
Qts	Qnap	5.2.0.2860-build_20240817 (including)	5.2.0.2860-build_20240817 (including)
Qts	Qnap	5.2.1.2930-build_20241025 (including)	5.2.1.2930-build_20241025 (including)
Qts	Qnap	5.2.2.2950-build_20241114 (including)	5.2.2.2950-build_20241114 (including)

Potential Mitigations

References

https://www.qnap.com/en/security-advisory/qsa-24-54

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-53693
CWE	https://cwe.mitre.org/data/definitions/93.html

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References