Synology-SA-22:01 DSM
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Moderate
- Status
- Accepted
Abstract
Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.0 | Moderate | Upgrade to 7.0.1-42218-2 or above. |
| DSM 6.2 | Moderate | Upgrade to 6.2.4-25556-3 or above. |
| DSMUC 3.0 | Moderate | Will not fix |
| VS Firmware 2.3 | Moderate | Will not fix |
Mitigation
None
Detail
CVE-2021-43925
- Severity: Moderate
- CVSS3 Base Score: 4.7
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
CVE-2021-43926
- Severity: Moderate
- CVSS3 Base Score: 4.7
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
CVE-2021-43927
- Severity: Moderate
- CVSS3 Base Score: 4.7
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
CVE-2021-43929
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2022-22679
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
- Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.
CVE-2022-22680
- Severity: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.
Acknowledgement
Eugene Lim, Government Technology Agency of Singapore
Loke Hui Yi, Government Technology Agency of Singapore
Thomas Fady
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2022-01-11 | Initial public release. |
| 2 | 2022-03-01 | Update the Acknowledgement. |
| 3 | 2022-04-12 | Disclosed vulnerability details. |
