Synology-SA-24:27 DSM

Abstract

A vulnerability allow remote attackers to conduct denial-of-service attacks.

A vulnerability allow remote attackers to obtain sensitive information.

A vulnerability allow remote authenticated users to obtain privileges without consent.

Affected Products

Product	Severity	Fixed Release Availability
DSM 7.2.2	Important	Upgrade to 7.2.2-72806 or above.
DSM 7.2.1	Important	Upgrade to 7.2.1-69057-2 or above.
DSMUC 3.1	Important	Upgrade to 3.1.4-23079 or above.

Mitigation

None

Detail

• CVE-2024-45538

  • Severity: Important
  • CVSS3 Base Score: 9.6
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CWE-352: Cross-Site Request Forgery (CSRF)
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2024-45539

  • Severity: Important
  • CVSS3 Base Score: 7.5
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CWE-787: Out-of-bounds Write
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

• CVE-2024-5401

  • Severity: Moderate
  • CVSS3 Base Score: 4.3
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CWE-913: Improper Control of Dynamically-Managed Code Resources
  • ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Acknowledgement

• Two vulnerabilities were discovered internally by Synology PSIRT.

• Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)

Revision

Revision	Date	Description
1	2024-11-27	Initial public release.