Synology-SA-17:64 CardDAV Server

Publish Time: 2017-11-06 16:35:38 UTC+8

Last Updated: 2017-11-06 16:35:38 UTC+8

Severity
Critical
Status
Resolved

Abstract

CVE-2017-15887 allows remote users to obtain system user accounts with brute-force attack from a vulnerable version of CardDAV Server.

Severity

Affected

  • Products
    • CardDAV Server before 6.0.7-0085

Description

An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update CardDAV Server to 6.0.7-0085 or above.