Cyber Resilience

CVE-2023-45038

Medium

Published: 06 September 2024

Published
06 September 2024
Modified
28 September 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0691 91.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45038 is a medium-severity Improper Authentication (CWE-287) vulnerability in Qnap Music Station. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An improper authentication vulnerability, identified as CWE-287, affects QNAP Music Station. The flaw carries a CVSS 4.3 score reflecting network attack vector, low complexity, no required privileges, and required user interaction, resulting in limited confidentiality impact without affecting integrity or availability. It was disclosed on 2024-09-06 and impacts versions prior to the listed fix.

Remote attackers can exploit the issue over a network to partially compromise system security, specifically by bypassing authentication controls to access limited information when a user interacts with a maliciously crafted request.

The vendor advisory at https://www.qnap.com/en/security-advisory/qsa-24-25 states that the vulnerability has been resolved in Music Station 5.4.0 and later releases, recommending that users apply the update to eliminate the exposure.

EPSS scores have remained low, with a current value of 0.0691 and a peak of 0.0854, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station…

more

5.4.0 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
music station
5.0.0 — 5.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

addresses: CWE-287

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287

Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.

addresses: CWE-287

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

References