Synology-SA-20:06 DSM

Publish Time: 2020-04-29 18:22:25 UTC+8

Last Updated: 2022-07-27 16:17:21 UTC+8

Severity
Moderate
Status
Accepted

Abstract

Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 6.2 Moderate Upgrade to 6.2.3-25423 or above.
VS Firmware 2.3 Moderate Pending

Mitigation

None

Detail

  • CVE-2022-27610
    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
    • Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

Acknowledgement

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group

Revision

Revision Date Description
1 2020-04-29 Initial public release.
2 2022-07-27 Disclosed vulnerability details.