Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)
Publish Time: 2024-11-05 15:15:34 UTC+8
Last Updated: 2024-11-05 15:15:34 UTC+8
- Severity
- Important
- Status
- Ongoing
Abstract
Multiple vulnerabilities allow remote attackers to hijack web sessions and inject SQL commands via a susceptible version of Synology Drive Server.
The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25613) has been addressed.
Update of Synology Drive Server for DSM 7.1 will be published within 30 days.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Synology Drive Server for DSM 7.2 | Important | Upgrade to 3.5.1-26102 or above. |
| Synology Drive Server for DSM 7.1 | Important | Ongoing |
Mitigation
None
Detail
Reserved
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-11-05 | Initial public release. |