Abstract
Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server.
Affected Products
Product |
Severity |
Fixed Release Availability |
Synology Directory Server |
Important |
Upgrade to 4.10.18-0300 or above. |
Mitigation
None
Detail
CVE-2020-27840
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.
CVE-2021-20277
- Severity: Important
- CVSS3 Base Score: 7.1
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
- A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.
Reference
Revision
Revision |
Date |
Description |
1 |
2021-03-26 |
Initial public release. |
2 |
2021-06-01 |
Update for Synology Directory Server is now available in Affected Products. |