Synology-SA-20:06 DSM

Publish Time: 2020-04-29 18:22:25 UTC+8

Last Updated: 2022-07-27 16:17:21 UTC+8

Severity: Moderate

Status: Accepted

Abstract

Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product	Severity	Fixed Release Availability
DSM 6.2	Moderate	Upgrade to 6.2.3-25423 or above.
VS Firmware 2.3	Moderate	Pending

Mitigation

None

Detail

CVE-2022-27610
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

Acknowledgement

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group

Revision

Revision	Date	Description
1	2020-04-29	Initial public release.
2	2022-07-27	Disclosed vulnerability details.