Synology-SA-24:27 DSM
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Important
- Status
- Ongoing
Abstract
A vulnerability allow remote attackers to conduct denial-of-service attacks.
A vulnerability allow remote attackers to obtain sensitive information.
A vulnerability allow remote authenticated users to obtain privileges without consent.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.2.2 | Important | Upgrade to 7.2.2-72806 or above. |
| DSM 7.2.1 | Important | Upgrade to 7.2.1-69057-2 or above. |
| DSMUC 3.1 | Important | Upgrade to 3.1.4-23079 or above. |
Mitigation
None
Detail
CVE-2024-45538
- Severity: Important
- CVSS3 Base Score: 9.6
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- CWE-352: Cross-Site Request Forgery (CSRF)
- Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2024-45539
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE-787: Out-of-bounds Write
- Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.
CVE-2024-5401
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CWE-913: Improper Control of Dynamically-Managed Code Resources
- Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
Acknowledgement
Steven Lin ( https://x.com/5teven1in )
Two vulnerabilities were discovered internally by Synology PSIRT.
Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-11-27 | Initial public release. |
| 2 | 2025-12-04 | Disclosed vulnerability details. |