Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)
Publish Time: 2024-11-05 15:15:34 UTC+8
Last Updated: 2024-11-21 19:04:27 UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
Multiple vulnerabilities allow remote attackers to hijack web sessions and inject SQL commands via a susceptible version of Synology Drive Server.
The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25613) has been addressed.
Update of Synology Drive Server for DSM 7.2.1 and Synology Drive Server for DSM 7.1 will be published within 30 days.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Synology Drive Server for DSM 7.2.2 | Important | Upgrade to 3.5.1-26102 or above. |
| Synology Drive Server for DSM 7.2.1 | Important | Upgrade to 3.5.0-26085 or above. |
| Synology Drive Server for DSM 7.1 | Important | Upgrade to 3.2.1-23280 or above. |
| Synology Drive Server for DSM 6.2 | Important | Upgrade to 3.0.4-12699 or above. |
Mitigation
None
Detail
Reserved
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-11-05 | Initial public release. |
| 2 | 2024-11-12 | Update for Synology Drive Server for DSM 7.2.1 is now available in Affected Products. |
| 3 | 2024-11-12 | Update for Synology Drive Server for DSM 7.1 is now available in Affected Products. |
| 4 | 2024-11-21 | Added Synology Drive Server for DSM 6.2 to Affected Products. |
| 5 | 2024-11-21 | Update for Synology Drive Server for DSM 6.2 is now available in Affected Products. |