Synology-SA-22:01 DSM

Publish Time: 2022-01-11 15:46:17 UTC+8

Last Updated: 2022-11-09 18:26:14 UTC+8

Severity
Moderate
Status
Accepted

Abstract

Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
DSM 7.0 Moderate Upgrade to 7.0.1-42218-2 or above.
DSM 6.2 Moderate Upgrade to 6.2.4-25556-3 or above.
DSMUC 3.0 Moderate Will not fix
VS Firmware 2.3 Moderate Will not fix

Mitigation

None

Detail

  • CVE-2021-43925

    • Severity: Moderate
    • CVSS3 Base Score: 4.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

  • CVE-2021-43926

    • Severity: Moderate
    • CVSS3 Base Score: 4.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

  • CVE-2021-43927

    • Severity: Moderate
    • CVSS3 Base Score: 4.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

  • CVE-2021-43929

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
    • Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2022-22679

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
    • Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.

  • CVE-2022-22680

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.

Acknowledgement

  • Eugene Lim, Government Technology Agency of Singapore

  • Loke Hui Yi, Government Technology Agency of Singapore

  • Thomas Fady

Reference

Revision

Revision Date Description
1 2022-01-11 Initial public release.
2 2022-03-01 Update the Acknowledgement.
3 2022-04-12 Disclosed vulnerability details.