Headline
CVE-2022-27610: Synology_SA_20_06 | Synology Inc.
Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.
Abstract
Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of Synology DiskStation Manager (DSM).
Affected Products
Product
Severity
Fixed Release Availability
DSM 6.2
Moderate
Upgrade to 6.2.3-25423 or above.
VS Firmware 2.3
Moderate
Pending
Mitigation
None
Detail
- CVE-2022-27610
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.
Acknowledgement
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi’anxin Group
Revision
Revision
Date
Description
1
2020-04-29
Initial public release.
2
2022-07-27
Disclosed vulnerability details.