Skip to main content

Diskstation Manager Unified Controller CVE-2023-0142

HIGH
Uncontrolled Search Path Element (CWE-427)
2023-06-13 security@synology.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 13, 2023 - 07:15 nvd
HIGH 8.1

DescriptionNVD

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.

AnalysisAI

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-427. Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors. Affected products include: Synology Diskstation Manager Unified Controller, Synology Router Manager, Synology Diskstation Manager. Version information: before 6.2.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-3156 HIGH POC
7.8 Jan 26

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege

CVE-2021-26566 CRITICAL POC
9.0 Feb 26

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) befo

CVE-2021-26564 HIGH POC
8.7 Feb 26

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before

CVE-2021-26562 HIGH POC
8.1 Feb 26

Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allow

CVE-2021-26561 HIGH POC
8.1 Feb 26

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426

CVE-2021-26560 HIGH POC
7.4 Feb 26

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM

CVE-2021-26563 MEDIUM POC
6.7 Feb 26

Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 all

CVE-2021-26565 MEDIUM POC
5.9 Feb 26

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before

CVE-2022-22687 CRITICAL
9.8 Mar 25

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in

CVE-2021-27649 CRITICAL
9.8 Jun 23

Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-2542

CVE-2024-45538 CRITICAL
9.6 Dec 04

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-6

CVE-2021-26567 HIGH
7.8 Feb 26

Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute ar

Share

CVE-2023-0142 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy