Synology-SA-17:64 CardDAV Server

Publish Time: 2017-11-06 16:35:38 UTC+8

Last Updated: 2017-11-06 16:35:38 UTC+8

Severity: Critical

Status: Resolved

Abstract

CVE-2017-15887 allows remote users to obtain system user accounts with brute-force attack from a vulnerable version of CardDAV Server.

Severity

Impact: Critical
CVSS3 Base Score: 9.1
CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected

Products
- CardDAV Server before 6.0.7-0085

Description

An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update CardDAV Server to 6.0.7-0085 or above.