Search

Find a vulnerability

Search criteria

    40 vulnerabilities found for diskstation_manager_unified_controller by synology

    CVE-2024-5401 (GCVE-0-2024-5401)

    Vulnerability from nvd – Published: 2025-12-04 14:20 – Updated: 2025-12-04 20:01
    VLAI
    Summary
    Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5401",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T18:55:17.873091Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:01:59.634Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:20:18.980Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-5401",
        "datePublished": "2025-12-04T14:20:18.980Z",
        "dateReserved": "2024-05-27T05:35:33.549Z",
        "dateUpdated": "2025-12-04T20:01:59.634Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45539 (GCVE-0-2024-45539)

    Vulnerability from nvd – Published: 2025-12-04 14:17 – Updated: 2025-12-04 20:02
    VLAI
    Summary
    Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Steven Lin ( https://x.com/5teven1in )
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T19:46:12.079314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:02:07.895Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Steven Lin ( https://x.com/5teven1in )"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:17:50.895Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-45539",
        "datePublished": "2025-12-04T14:17:50.895Z",
        "dateReserved": "2024-09-02T09:49:12.161Z",
        "dateUpdated": "2025-12-04T20:02:07.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45538 (GCVE-0-2024-45538)

    Vulnerability from nvd – Published: 2025-12-04 14:16 – Updated: 2025-12-04 20:02
    VLAI
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Steven Lin ( https://x.com/5teven1in )
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45538",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T19:13:52.403109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:02:13.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Steven Lin ( https://x.com/5teven1in )"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:16:26.897Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-45538",
        "datePublished": "2025-12-04T14:16:26.897Z",
        "dateReserved": "2024-09-02T09:49:12.160Z",
        "dateUpdated": "2025-12-04T20:02:13.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-2729 (GCVE-0-2023-2729)

    Vulnerability from nvd – Published: 2023-06-13 07:11 – Updated: 2025-01-03 15:24
    VLAI
    Summary
    Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2 , < 7.2-64561 (semver)
    Affected: 7.1 , < 7.1.* (semver)
    Affected: 7.0 , < 7.0.* (semver)
    Affected: 6.2 , < 6.2.* (semver)
    Unknown: 0 , < 6.2 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.* (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Synology Synology Router Manager (SRM) Affected: 1.3 , < 1.3.* (semver)
    Affected: 1.2 , < 1.2.* (semver)
    Unknown: 0 , < 1.2 (semver)
    Create a notification for this product.
    Credits
    Sharon Brizinov of Claroty Research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:05.246Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Synology-SA-23:07 DSM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_07"
              },
              {
                "name": "Synology-SA-23:08 SRM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_08"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2729",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T15:24:01.958795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T15:24:12.653Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2-64561",
                  "status": "affected",
                  "version": "7.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.1.*",
                  "status": "affected",
                  "version": "7.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.0.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2.*",
                  "status": "affected",
                  "version": "6.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.*",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Synology Router Manager (SRM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "1.3.*",
                  "status": "affected",
                  "version": "1.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2.*",
                  "status": "affected",
                  "version": "1.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sharon Brizinov of Claroty Research"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-13T11:14:57.295Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-23:07 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_07"
            },
            {
              "name": "Synology-SA-23:08 SRM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_08"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2023-2729",
        "datePublished": "2023-06-13T07:11:54.850Z",
        "dateReserved": "2023-05-16T03:36:11.521Z",
        "dateUpdated": "2025-01-03T15:24:12.653Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0142 (GCVE-0-2023-0142)

    Vulnerability from nvd – Published: 2023-06-13 06:52 – Updated: 2025-01-03 01:55
    VLAI
    Summary
    Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Unaffected: 7.2 , < 7.2.* (semver)
    Affected: 7.1 , < 7.1-42661 (semver)
    Affected: 7.0 , < 7.0.1-42218-7 (semver)
    Affected: 6.2 , < 6.2.4-25556-8 (semver)
    Unknown: 0 , < 6.2 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.* (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Synology Synology Router Manager (SRM) Affected: 1.3 , < 1.3.* (semver)
    Affected: 1.2 , < 1.2.* (semver)
    Unknown: 0 , < 1.2 (semver)
    Create a notification for this product.
    Credits
    Chanyoung So
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:43.739Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Synology-SA-23:05 DSM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_05"
              },
              {
                "name": "Synology-SA-23:06 SRM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_06"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T01:54:30.653163Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T01:55:23.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.*",
                  "status": "unaffected",
                  "version": "7.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.1-42661",
                  "status": "affected",
                  "version": "7.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.0.1-42218-7",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2.4-25556-8",
                  "status": "affected",
                  "version": "6.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.*",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Synology Router Manager (SRM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "1.3.*",
                  "status": "affected",
                  "version": "1.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2.*",
                  "status": "affected",
                  "version": "1.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chanyoung So"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T07:12:44.154Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-23:05 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_05"
            },
            {
              "name": "Synology-SA-23:06 SRM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_06"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2023-0142",
        "datePublished": "2023-06-13T06:52:50.745Z",
        "dateReserved": "2023-01-10T02:14:16.029Z",
        "dateUpdated": "2025-01-03T01:55:23.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22687 (GCVE-0-2022-22687)

    Vulnerability from nvd – Published: 2022-03-25 06:55 – Updated: 2024-09-16 16:28
    VLAI
    Summary
    Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2022-03-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:21:49.112Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-03-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer copy without checking size of input (\u0027Classic Buffer Overflow\u0027) vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-25T06:55:17.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2022-03-21T11:11:11.929865",
              "ID": "CVE-2022-22687",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Buffer copy without checking size of input (\u0027Classic Buffer Overflow\u0027) vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2022-22687",
        "datePublished": "2022-03-25T06:55:17.763Z",
        "dateReserved": "2022-01-05T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:28:18.145Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29087 (GCVE-0-2021-29087)

    Vulnerability from nvd – Published: 2021-06-23 09:55 – Updated: 2024-09-16 19:57
    VLAI
    Summary
    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.615Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:11.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T06:33:36.567055",
              "ID": "CVE-2021-29087",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.5",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29087",
        "datePublished": "2021-06-23T09:55:11.434Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:57:04.894Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29086 (GCVE-0-2021-29086)

    Vulnerability from nvd – Published: 2021-06-23 09:50 – Updated: 2024-09-17 03:38
    VLAI
    Summary
    Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.535Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:50:12.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T06:23:58.518378",
              "ID": "CVE-2021-29086",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "5.3",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29086",
        "datePublished": "2021-06-23T09:50:12.188Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:38:00.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29085 (GCVE-0-2021-29085)

    Vulnerability from nvd – Published: 2021-06-23 09:55 – Updated: 2024-09-16 21:08
    VLAI
    Summary
    Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:15.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:32:26.874493",
              "ID": "CVE-2021-29085",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.6",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29085",
        "datePublished": "2021-06-23T09:55:15.837Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:08:10.641Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29084 (GCVE-0-2021-29084)

    Vulnerability from nvd – Published: 2021-06-23 09:55 – Updated: 2024-09-16 23:10
    VLAI
    Summary
    Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:20.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:30:40.257869",
              "ID": "CVE-2021-29084",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.5",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29084",
        "datePublished": "2021-06-23T09:55:20.735Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:10:23.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27649 (GCVE-0-2021-27649)

    Vulnerability from nvd – Published: 2021-06-23 09:50 – Updated: 2024-09-16 23:05
    VLAI
    Summary
    Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:50:17.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:44:44.497855",
              "ID": "CVE-2021-27649",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-416: Use After Free"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-27649",
        "datePublished": "2021-06-23T09:50:17.135Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:05:41.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26567 (GCVE-0-2021-26567)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 19:56
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
    Severity
    No CVSS data available.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    github/knik0 faad2 Affected: unspecified , < 2.2.7.1 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.524Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "faad2",
              "vendor": "github/knik0",
              "versions": [
                {
                  "lessThan": "2.2.7.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-03-12T13:40:10.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26567",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "faad2",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "2.2.7.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "github/knik0"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa",
                  "refsource": "MISC",
                  "url": "https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26567",
        "datePublished": "2021-02-26T21:45:35.788Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:56:15.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26566 (GCVE-0-2021-26566)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 03:23
    VLAI
    Summary
    Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.445Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:25.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26566",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-201: Insertion of Sensitive Information Into Sent Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26566",
        "datePublished": "2021-02-26T21:45:35.118Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:23:15.693Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26565 (GCVE-0-2021-26565)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:27
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.468Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T19:06:24.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26565",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26565",
        "datePublished": "2021-02-26T21:45:34.345Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:27:07.136Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26564 (GCVE-0-2021-26564)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 00:46
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.479Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26564",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.3",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26564",
        "datePublished": "2021-02-26T21:45:33.663Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:46:03.051Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26563 (GCVE-0-2021-26563)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 16:23
    VLAI
    Summary
    Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.4-25553 (custom)
    Create a notification for this product.
    Date Public
    2021-06-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.477Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.4-25553",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-18T10:18:29.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-17T07:07:06.548759",
              "ID": "CVE-2021-26563",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.4-25553"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.2",
                "vectorString": "AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-863: Incorrect Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1158"
                },
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_21_03",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_21_03"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26563",
        "datePublished": "2021-02-26T21:45:33.039Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:23:45.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26562 (GCVE-0-2021-26562)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 04:08
    VLAI
    Summary
    Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787: Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:15.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26562",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-787: Out-of-bounds Write"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26562",
        "datePublished": "2021-02-26T21:45:31.818Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:08:58.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26561 (GCVE-0-2021-26561)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-16 23:06
    VLAI
    Summary
    Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.449Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-19T18:06:13.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26561",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26561",
        "datePublished": "2021-02-26T21:45:31.206Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:05.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26560 (GCVE-0-2021-26560)

    Vulnerability from nvd – Published: 2021-02-26 21:45 – Updated: 2024-09-17 01:30
    VLAI
    Summary
    Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-02-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.473Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Synology DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-05-12T12:50:50.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-02-26T00:00:00",
              "ID": "CVE-2021-26560",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Synology DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.0",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319: Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                },
                {
                  "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159",
                  "refsource": "MISC",
                  "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1159"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-26560",
        "datePublished": "2021-02-26T21:45:30.498Z",
        "dateReserved": "2021-02-02T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:30:56.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-5401 (GCVE-0-2024-5401)

    Vulnerability from cvelistv5 – Published: 2025-12-04 14:20 – Updated: 2025-12-04 20:01
    VLAI
    Summary
    Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5401",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T18:55:17.873091Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:01:59.634Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:20:18.980Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-5401",
        "datePublished": "2025-12-04T14:20:18.980Z",
        "dateReserved": "2024-05-27T05:35:33.549Z",
        "dateUpdated": "2025-12-04T20:01:59.634Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45539 (GCVE-0-2024-45539)

    Vulnerability from cvelistv5 – Published: 2025-12-04 14:17 – Updated: 2025-12-04 20:02
    VLAI
    Summary
    Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Steven Lin ( https://x.com/5teven1in )
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45539",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T19:46:12.079314Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:02:07.895Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Steven Lin ( https://x.com/5teven1in )"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:17:50.895Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-45539",
        "datePublished": "2025-12-04T14:17:50.895Z",
        "dateReserved": "2024-09-02T09:49:12.161Z",
        "dateUpdated": "2025-12-04T20:02:07.895Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45538 (GCVE-0-2024-45538)

    Vulnerability from cvelistv5 – Published: 2025-12-04 14:16 – Updated: 2025-12-04 20:02
    VLAI
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2.2 , < 7.2.2-72806 (semver)
    Affected: 7.2.1 , < 7.2.1-69057-2 (semver)
    Unknown: 0 , < 7.2.1 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.4-23079 (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Credits
    Steven Lin ( https://x.com/5teven1in )
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45538",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-04T19:13:52.403109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-04T20:02:13.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.2-72806",
                  "status": "affected",
                  "version": "7.2.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1-69057-2",
                  "status": "affected",
                  "version": "7.2.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.2.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.4-23079",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Steven Lin ( https://x.com/5teven1in )"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-04T14:16:26.897Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-24:27 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_27"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2024-45538",
        "datePublished": "2025-12-04T14:16:26.897Z",
        "dateReserved": "2024-09-02T09:49:12.160Z",
        "dateUpdated": "2025-12-04T20:02:13.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-2729 (GCVE-0-2023-2729)

    Vulnerability from cvelistv5 – Published: 2023-06-13 07:11 – Updated: 2025-01-03 15:24
    VLAI
    Summary
    Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: 7.2 , < 7.2-64561 (semver)
    Affected: 7.1 , < 7.1.* (semver)
    Affected: 7.0 , < 7.0.* (semver)
    Affected: 6.2 , < 6.2.* (semver)
    Unknown: 0 , < 6.2 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.* (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Synology Synology Router Manager (SRM) Affected: 1.3 , < 1.3.* (semver)
    Affected: 1.2 , < 1.2.* (semver)
    Unknown: 0 , < 1.2 (semver)
    Create a notification for this product.
    Credits
    Sharon Brizinov of Claroty Research
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:33:05.246Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Synology-SA-23:07 DSM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_07"
              },
              {
                "name": "Synology-SA-23:08 SRM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_08"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2729",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T15:24:01.958795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T15:24:12.653Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2-64561",
                  "status": "affected",
                  "version": "7.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.1.*",
                  "status": "affected",
                  "version": "7.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.0.*",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2.*",
                  "status": "affected",
                  "version": "6.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.*",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Synology Router Manager (SRM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "1.3.*",
                  "status": "affected",
                  "version": "1.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2.*",
                  "status": "affected",
                  "version": "1.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sharon Brizinov of Claroty Research"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-330: Use of Insufficiently Random Values",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-13T11:14:57.295Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-23:07 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_07"
            },
            {
              "name": "Synology-SA-23:08 SRM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_08"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2023-2729",
        "datePublished": "2023-06-13T07:11:54.850Z",
        "dateReserved": "2023-05-16T03:36:11.521Z",
        "dateUpdated": "2025-01-03T15:24:12.653Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-0142 (GCVE-0-2023-0142)

    Vulnerability from cvelistv5 – Published: 2023-06-13 06:52 – Updated: 2025-01-03 01:55
    VLAI
    Summary
    Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Unaffected: 7.2 , < 7.2.* (semver)
    Affected: 7.1 , < 7.1-42661 (semver)
    Affected: 7.0 , < 7.0.1-42218-7 (semver)
    Affected: 6.2 , < 6.2.4-25556-8 (semver)
    Unknown: 0 , < 6.2 (semver)
    Create a notification for this product.
    Synology Unified Controller (DSMUC) Affected: 3.1 , < 3.1.* (semver)
    Unknown: 0 , < 3.1 (semver)
    Create a notification for this product.
    Synology Synology Router Manager (SRM) Affected: 1.3 , < 1.3.* (semver)
    Affected: 1.2 , < 1.2.* (semver)
    Unknown: 0 , < 1.2 (semver)
    Create a notification for this product.
    Credits
    Chanyoung So
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T05:02:43.739Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Synology-SA-23:05 DSM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_05"
              },
              {
                "name": "Synology-SA-23:06 SRM",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_06"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-0142",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-03T01:54:30.653163Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-03T01:55:23.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "7.2.*",
                  "status": "unaffected",
                  "version": "7.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.1-42661",
                  "status": "affected",
                  "version": "7.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "7.0.1-42218-7",
                  "status": "affected",
                  "version": "7.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2.4-25556-8",
                  "status": "affected",
                  "version": "6.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "6.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Unified Controller (DSMUC)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "3.1.*",
                  "status": "affected",
                  "version": "3.1",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.1",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "Synology Router Manager (SRM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "1.3.*",
                  "status": "affected",
                  "version": "1.3",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2.*",
                  "status": "affected",
                  "version": "1.2",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.2",
                  "status": "unknown",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chanyoung So"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-03T07:12:44.154Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "name": "Synology-SA-23:05 DSM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_05"
            },
            {
              "name": "Synology-SA-23:06 SRM",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_06"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2023-0142",
        "datePublished": "2023-06-13T06:52:50.745Z",
        "dateReserved": "2023-01-10T02:14:16.029Z",
        "dateUpdated": "2025-01-03T01:55:23.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22687 (GCVE-0-2022-22687)

    Vulnerability from cvelistv5 – Published: 2022-03-25 06:55 – Updated: 2024-09-16 16:28
    VLAI
    Summary
    Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
    CWE
    • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2022-03-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:21:49.112Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-03-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer copy without checking size of input (\u0027Classic Buffer Overflow\u0027) vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-25T06:55:17.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2022-03-21T11:11:11.929865",
              "ID": "CVE-2022-22687",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Buffer copy without checking size of input (\u0027Classic Buffer Overflow\u0027) vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2022-22687",
        "datePublished": "2022-03-25T06:55:17.763Z",
        "dateReserved": "2022-01-05T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:28:18.145Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29084 (GCVE-0-2021-29084)

    Vulnerability from cvelistv5 – Published: 2021-06-23 09:55 – Updated: 2024-09-16 23:10
    VLAI
    Summary
    Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:20.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:30:40.257869",
              "ID": "CVE-2021-29084",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.5",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29084",
        "datePublished": "2021-06-23T09:55:20.735Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:10:23.988Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29085 (GCVE-0-2021-29085)

    Vulnerability from cvelistv5 – Published: 2021-06-23 09:55 – Updated: 2024-09-16 21:08
    VLAI
    Summary
    Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
    CWE
    • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.635Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:15.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:32:26.874493",
              "ID": "CVE-2021-29085",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper neutralization of special elements in output used by a downstream component (\u0027Injection\u0027) vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "8.6",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29085",
        "datePublished": "2021-06-23T09:55:15.837Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:08:10.641Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29087 (GCVE-0-2021-29087)

    Vulnerability from cvelistv5 – Published: 2021-06-23 09:55 – Updated: 2024-09-16 19:57
    VLAI
    Summary
    Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.615Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:55:11.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T06:33:36.567055",
              "ID": "CVE-2021-29087",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.5",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29087",
        "datePublished": "2021-06-23T09:55:11.434Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:57:04.894Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27649 (GCVE-0-2021-27649)

    Vulnerability from cvelistv5 – Published: 2021-06-23 09:50 – Updated: 2024-09-16 23:05
    VLAI
    Summary
    Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.632Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-416",
                  "description": "CWE-416: Use After Free",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:50:17.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T09:44:44.497855",
              "ID": "CVE-2021-27649",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-416: Use After Free"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-27649",
        "datePublished": "2021-06-23T09:50:17.135Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:05:41.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-29086 (GCVE-0-2021-29086)

    Vulnerability from cvelistv5 – Published: 2021-06-23 09:50 – Updated: 2024-09-17 03:38
    VLAI
    Summary
    Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Synology DiskStation Manager (DSM) Affected: unspecified , < 6.2.3-25426-3 (custom)
    Create a notification for this product.
    Date Public
    2021-06-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:55:12.535Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "DiskStation Manager (DSM)",
              "vendor": "Synology",
              "versions": [
                {
                  "lessThan": "6.2.3-25426-3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-06-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-23T09:50:12.000Z",
            "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
            "shortName": "synology"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@synology.com",
              "DATE_PUBLIC": "2021-06-23T06:23:58.518378",
              "ID": "CVE-2021-29086",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "DiskStation Manager (DSM)",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c",
                                "version_affected": "\u003c",
                                "version_value": "6.2.3-25426-3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Synology"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "5.3",
                "vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.synology.com/security/advisory/Synology_SA_20_26",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/security/advisory/Synology_SA_20_26"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "assignerShortName": "synology",
        "cveId": "CVE-2021-29086",
        "datePublished": "2021-06-23T09:50:12.188Z",
        "dateReserved": "2021-03-23T00:00:00.000Z",
        "dateUpdated": "2024-09-17T03:38:00.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }