CVE-2024-38647

An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP AI Core 3.4.1 and later

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-24-40	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:qnap:ai_core:3.4.0:*:*:*:*:*:*:*

History

08 Dec 2025, 19:26

Type	Values Removed	Values Added
Summary		(es) Se ha informado de una vulnerabilidad de exposición de información confidencial que afecta a QNAP AI Core. Si se explota, la vulnerabilidad podría permitir a atacantes remotos comprometer la seguridad del sistema. Ya hemos corregido la vulnerabilidad en la siguiente versión: QNAP AI Core 3.4.1 y posteriores
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Qnap ai Core Qnap
CPE		cpe:2.3:a:qnap:ai_core:3.4.0:::::::*
References	~~() https://www.qnap.com/en/security-advisory/qsa-24-40 -~~	() https://www.qnap.com/en/security-advisory/qsa-24-40 - Vendor Advisory

22 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-22 16:15

Updated : 2025-12-08 19:26

NVD link : CVE-2024-38647

Mitre link : CVE-2024-38647

CVE.ORG link : CVE-2024-38647

JSON object : View

Products Affected

qnap

ai_core

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-540

Inclusion of Sensitive Information in Source Code

{"id": "CVE-2024-38647", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-22T16:15:25.387", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-40", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-540"}]}], "descriptions": [{"lang": "en", "value": "An exposure of sensitive information vulnerability has been reported to affect QNAP AI Core. If exploited, the vulnerability could allow remote attackers to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nQNAP AI Core 3.4.1 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial que afecta a QNAP AI Core. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos comprometer la seguridad del sistema. Ya hemos corregido la vulnerabilidad en la siguiente versi\u00f3n: QNAP AI Core 3.4.1 y posteriores"}], "lastModified": "2025-12-08T19:26:54.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:ai_core:3.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52E05649-6A58-4CA2-9693-49E4BD4B718B"}], "operator": "OR"}]}], "sourceIdentifier": "security@qnapsecurity.com.tw"}