Seems like there is a more localized page available for your location.
Synology Bee 系列
群晖套件导览

Synology-SA-23:02 Sudo

Publish Time: 2023-03-30 16:17:07 UTC+8

Last Updated: 2023-10-04 18:16:36 UTC+8

Severity
Low
Status
Accepted

Abstract

A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).

Affected Products

Product Severity Fixed Release Availability
DSM 7.1 Low Upgrade to 7.2.1-69057 or above.
DSM 7.0 Low Will not fix
DSM 6.2 Low Will not fix
DSMUC 3.1 Low Will not fix
SRM 1.3 Low Will not fix
SRM 1.2 Not affected N/A
VS Firmware 3.0 Low Will not fix

Mitigation

None

Detail

  • CVE-2023-22809
    • Severity: Low
    • CVSS3 Base Score: 6.7
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.

Reference

CVE-2023-22809

Revision

Revision Date Description
1 2023-03-30 Initial public release.
2 2023-09-26 Update for DSM 7.1 is now available in Affected Products.