Vulnerabilites related to Synology - Synology DiskStation Manager (DSM)
cve-2021-33182
Vulnerability from cvelistv5
Published
2021-06-01 09:50
Modified
2024-09-16 19:05
Severity ?
EPSS score ?
Summary
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_21_03 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.4-25553 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:42:20.223Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.4-25553", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-05-26T00:00:00", descriptions: [ { lang: "en", value: "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-01T09:50:17", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-05-26T09:29:06.289650", ID: "CVE-2021-33182", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.4-25553", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.", }, ], }, impact: { cvss: { baseScore: "5.0", vectorString: "AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_21_03", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-33182", datePublished: "2021-06-01T09:50:17.599911Z", dateReserved: "2021-05-18T00:00:00", dateUpdated: "2024-09-16T19:05:32.694Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-27647
Vulnerability from cvelistv5
Published
2021-03-12 06:35
Modified
2024-09-16 20:13
Severity ?
EPSS score ?
Summary
Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-339/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:10.603Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-03-12T00:00:00", descriptions: [ { lang: "en", value: "Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-125", description: "CWE-125: Out-of-bounds Read", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-22T16:06:11", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-03-12T06:02:06.522873", ID: "CVE-2021-27647", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], }, impact: { cvss: { baseScore: "9.8", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-125: Out-of-bounds Read", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", refsource: "MISC", url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-27647", datePublished: "2021-03-12T06:35:11.865594Z", dateReserved: "2021-02-24T00:00:00", dateUpdated: "2024-09-16T20:13:32.164Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-15894
Vulnerability from cvelistv5
Published
2017-12-08 16:00
Modified
2024-09-16 19:31
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: 6.0.x before 6.0.3-8754-3 Version: before 5.2-5967-6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:04:50.448Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { status: "affected", version: "6.0.x before 6.0.3-8754-3", }, { status: "affected", version: "before 5.2-5967-6", }, ], }, ], datePublic: "2017-11-15T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-08T15:57:01", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2017-11-15T00:00:00", ID: "CVE-2017-15894", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { version_value: "6.0.x before 6.0.3-8754-3", }, { version_value: "before 5.2-5967-6", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM", refsource: "CONFIRM", url: "https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2017-15894", datePublished: "2017-12-08T16:00:00Z", dateReserved: "2017-10-25T00:00:00", dateUpdated: "2024-09-16T19:31:51.358Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-29083
Vulnerability from cvelistv5
Published
2021-04-01 05:20
Modified
2024-09-17 02:42
Severity ?
EPSS score ?
Summary
Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:55:12.656Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-04-01T00:00:00", descriptions: [ { lang: "en", value: "Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-01T05:20:13", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-04-01T05:14:36.718969", ID: "CVE-2021-29083", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.", }, ], }, impact: { cvss: { baseScore: "7.2", vectorString: "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-29083", datePublished: "2021-04-01T05:20:13.245382Z", dateReserved: "2021-03-23T00:00:00", dateUpdated: "2024-09-17T02:42:37.369Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-27646
Vulnerability from cvelistv5
Published
2021-03-12 06:45
Modified
2024-09-16 18:54
Severity ?
EPSS score ?
Summary
Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-340/ | x_refsource_MISC | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-339/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:26:10.663Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-340/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-03-12T00:00:00", descriptions: [ { lang: "en", value: "Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416: Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-22T16:06:10", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-340/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-03-12T06:01:55.451382", ID: "CVE-2021-27646", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], }, impact: { cvss: { baseScore: "9.8", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-416: Use After Free", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.zerodayinitiative.com/advisories/ZDI-21-340/", refsource: "MISC", url: "https://www.zerodayinitiative.com/advisories/ZDI-21-340/", }, { name: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", refsource: "MISC", url: "https://www.zerodayinitiative.com/advisories/ZDI-21-339/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-27646", datePublished: "2021-03-12T06:45:13.026370Z", dateReserved: "2021-02-24T00:00:00", dateUpdated: "2024-09-16T18:54:23.293Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26562
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-17 04:08
Severity ?
EPSS score ?
Summary
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.470Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-787", description: "CWE-787: Out-of-bounds Write", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-19T18:06:15", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26562", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.", }, ], }, impact: { cvss: { baseScore: "9.0", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-787: Out-of-bounds Write", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26562", datePublished: "2021-02-26T21:45:31.818984Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T04:08:58.655Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26560
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-17 01:30
Severity ?
EPSS score ?
Summary
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.473Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-319", description: "CWE-319: Cleartext Transmission of Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-12T12:50:50", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26560", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.", }, ], }, impact: { cvss: { baseScore: "9.0", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-319: Cleartext Transmission of Sensitive Information", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26560", datePublished: "2021-02-26T21:45:30.498636Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T01:30:56.188Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26565
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-17 01:27
Severity ?
EPSS score ?
Summary
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.468Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-319", description: "CWE-319: Cleartext Transmission of Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-19T19:06:24", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26565", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.", }, ], }, impact: { cvss: { baseScore: "8.3", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-319: Cleartext Transmission of Sensitive Information", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26565", datePublished: "2021-02-26T21:45:34.345463Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T01:27:07.136Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26569
Vulnerability from cvelistv5
Published
2021-03-12 06:40
Modified
2024-09-17 03:49
Severity ?
EPSS score ?
Summary
Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-338/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.555Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-338/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-03-12T00:00:00", descriptions: [ { lang: "en", value: "Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-366", description: "CWE-366: Race Condition within a Thread", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-18T14:06:40", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-338/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-03-12T06:01:35.532754", ID: "CVE-2021-26569", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.", }, ], }, impact: { cvss: { baseScore: "9.8", vectorString: "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-366: Race Condition within a Thread", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.zerodayinitiative.com/advisories/ZDI-21-338/", refsource: "MISC", url: "https://www.zerodayinitiative.com/advisories/ZDI-21-338/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26569", datePublished: "2021-03-12T06:40:13.071732Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T03:49:02.807Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-29088
Vulnerability from cvelistv5
Published
2021-06-01 09:45
Modified
2024-09-16 20:16
Severity ?
EPSS score ?
Summary
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_21_03 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.4-25553 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:55:12.619Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.4-25553", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-05-18T00:00:00", descriptions: [ { lang: "en", value: "Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-06-01T09:45:20", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-05-18T06:15:41.149855", ID: "CVE-2021-29088", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.4-25553", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.", }, ], }, impact: { cvss: { baseScore: "7.8", vectorString: "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_21_03", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_21_03", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-29088", datePublished: "2021-06-01T09:45:20.782280Z", dateReserved: "2021-03-23T00:00:00", dateUpdated: "2024-09-16T20:16:24.198Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26561
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-16 23:06
Severity ?
EPSS score ?
Summary
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.449Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-121", description: "CWE-121: Stack-based Buffer Overflow", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-19T18:06:13", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26561", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.", }, ], }, impact: { cvss: { baseScore: "9.0", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-121: Stack-based Buffer Overflow", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26561", datePublished: "2021-02-26T21:45:31.206502Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-16T23:06:05.777Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26564
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-17 00:46
Severity ?
EPSS score ?
Summary
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.479Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-319", description: "CWE-319: Cleartext Transmission of Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-12T12:50:50", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26564", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.", }, ], }, impact: { cvss: { baseScore: "8.3", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-319: Cleartext Transmission of Sensitive Information", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26564", datePublished: "2021-02-26T21:45:33.663943Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T00:46:03.051Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26566
Vulnerability from cvelistv5
Published
2021-02-26 21:45
Modified
2024-09-17 03:23
Severity ?
EPSS score ?
Summary
Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/security/advisory/Synology_SA_20_26 | x_refsource_CONFIRM | |
| https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology DiskStation Manager (DSM) |
Version: unspecified < 6.2.3-25426-3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:26:25.445Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Synology DiskStation Manager (DSM)", vendor: "Synology", versions: [ { lessThan: "6.2.3-25426-3", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2021-02-26T00:00:00", descriptions: [ { lang: "en", value: "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-201", description: "CWE-201: Insertion of Sensitive Information Into Sent Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-19T19:06:25", orgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", shortName: "synology", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { tags: [ "x_refsource_MISC", ], url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@synology.com", DATE_PUBLIC: "2021-02-26T00:00:00", ID: "CVE-2021-26566", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Synology DiskStation Manager (DSM)", version: { version_data: [ { affected: "<", version_affected: "<", version_value: "6.2.3-25426-3", }, ], }, }, ], }, vendor_name: "Synology", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.", }, ], }, impact: { cvss: { baseScore: "8.3", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-201: Insertion of Sensitive Information Into Sent Data", }, ], }, ], }, references: { reference_data: [ { name: "https://www.synology.com/security/advisory/Synology_SA_20_26", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_20_26", }, { name: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", refsource: "MISC", url: "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "db201096-a0cc-46c7-9a55-61d9e221bf01", assignerShortName: "synology", cveId: "CVE-2021-26566", datePublished: "2021-02-26T21:45:35.118113Z", dateReserved: "2021-02-02T00:00:00", dateUpdated: "2024-09-17T03:23:15.693Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }