Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-22684: Synology_SA_21_03 | Synology Inc.

Improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE
Open in Source
#vulnerability#cisco#pdf#auth

Abstract

Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).

Affected Products

Product

Severity

Fixed Release Availability

DSM 6.2

Important

Upgrade to 6.2.4-25553 or above.

DSMUC 3.0

Moderate

Pending

VS Firmware 2.3

Not affected

N/A

Mitigation

None

Detail

  • CVE-2021-26563

    • Severity: Important
    • CVSS3 Base Score: 8.2
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    • Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2021-29088

    • Severity: Important
    • CVSS3 Base Score: 7.8
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2022-22684

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L
    • Improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote attackers to execute arbitrary commands via unspecified vectors.

  • CVE-2021-33182

    • Severity: Moderate
    • CVSS3 Base Score: 5.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
    • Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.

Acknowledgement

  • Claudio Bozzato of Cisco Talos

  • Bing-Jhong Jheng

  • Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group

Revision

Revision

Date

Description

1

2021-02-23

Initial public release.

2

2021-06-10

Disclosed vulnerability details.

3

2022-07-28

Disclosed vulnerability details.

Related news

CVE-2022-22684: Synology_SA_22_03 | Synology Inc.

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE