Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)

Publish Time: 2024-11-05 15:15:34 UTC+8

Last Updated: 2024-11-05 15:15:34 UTC+8

Severity
Important
Status
Ongoing

Abstract

Multiple vulnerabilities allow remote attackers to hijack web sessions and inject SQL commands via a susceptible version of Synology Drive Server.

The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25613) has been addressed.

Update of Synology Drive Server for DSM 7.1 will be published within 30 days.

Affected Products

Product Severity Fixed Release Availability
Synology Drive Server for DSM 7.2 Important Upgrade to 3.5.1-26102 or above.
Synology Drive Server for DSM 7.1 Important Ongoing

Mitigation

None

Detail

Reserved

Revision

Revision Date Description
1 2024-11-05 Initial public release.