Synology DSM Security Advisory: Multiple Vulnerabilities (RCE, Path Traversal, Command Injection)

Vulnerability Key Information Vulnerability ID Synology-SA-21:03 DSM Release and Update Time Release Time: 2021-02-23 09:15:43 UTC+8 Last Update Time: 2022-07-28 14:30:58 UTC+8 Severity and Status Severity: Important Status: Accepted Summary Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via vulnerable versions of DiskStation Manager (DSM). Affected Products Vulnerability Details CVE-2021-26563 - Severity: Important - CVSS3 Base Score: 8.2 - CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H - Details: Synology DiskStation Manager (DSM) versions prior to 6.2.4-25553 contain an authorization validation flaw in synoagentregisterd, allowing local users to execute arbitrary code via unspecified vectors. CVE-2021-29088 - Severity: Important - CVSS3 Base Score: 7.8 - CVSS3 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Details: Synology DiskStation Manager (DSM) versions prior to 6.2.4-25553 contain a path traversal vulnerability in the cgi component, allowing local users to execute arbitrary code via unspecified vectors. CVE-2022-22684 - Severity: Important - CVSS3 Base Score: 7.2 - CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/MAV:L - Details: Synology DiskStation Manager (DSM) versions prior to 6.2.4-25553 contain an OS command injection vulnerability in the task management component, allowing remote attackers to execute arbitrary commands via unspecified vectors. CVE-2021-33182 - Severity: Medium - CVSS3 Base Score: 5.0 - CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N - Details: Synology DiskStation Manager (DSM) versions prior to 6.2.4-25553 contain a path traversal vulnerability in the PDF Viewer component, allowing remote authenticated users to read limited files via unspecified vectors. Acknowledgments Claudio Bozzato of Cisco Talos Bing-Jhong Jheng Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group Version History

Goal Reached Thanks to every supporter — we hit 100%!

Synology DSM Security Advisory: Multiple Vulnerabilities (RCE, Path Traversal, Command Injection)