Abstract
Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM).
Affected Products
Product |
Severity |
Fixed Release Availability |
DSM 6.2 |
Important |
Upgrade to 6.2.4-25553 or above. |
DSMUC 3.0 |
Moderate |
Pending |
VS Firmware 2.3 |
Not affected |
N/A |
Mitigation
None
Detail
CVE-2021-26563
- Severity: Important
- CVSS3 Base Score: 8.2
- CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
CVE-2021-29088
- Severity: Important
- CVSS3 Base Score: 7.8
- CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
CVE-2022-22684
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L
- Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2021-33182
- Severity: Moderate
- CVSS3 Base Score: 5.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
Acknowledgement
Revision
Revision |
Date |
Description |
1 |
2021-02-23 |
Initial public release. |
2 |
2021-06-10 |
Disclosed vulnerability details. |
3 |
2022-07-28 |
Disclosed vulnerability details. |