Details of VAR-201712-0196

ID

VAR-201712-0196

CVE

CVE-2017-15889

TITLE

Synology DiskStation Manager Command injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152

DESCRIPTION

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. The smart.cgi file in versions earlier than Synology DSM 5.2-5967-5 has a command injection vulnerability

Trust: 1.71

sources: NVD: CVE-2017-15889 // JVNDB: JVNDB-2017-011197 // VULHUB: VHN-106756

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	5.2-5967-5	Trust: 1.8
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.2	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.2-3243	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3-3810	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.0-2259	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.0	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	3.0	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3	Trust: 0.6

sources: JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152 // NVD: CVE-2017-15889

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-15889
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-15889
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201710-1152
value:	HIGH
Trust: 0.6
VULHUB:	VHN-106756
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-15889
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-106756
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-15889
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-106756 // JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152 // NVD: CVE-2017-15889

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.9

sources: VULHUB: VHN-106756 // JVNDB: JVNDB-2017-011197 // NVD: CVE-2017-15889

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1152

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201710-1152

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011197

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-106756

PATCH

title:	Synology-SA-17:65 DSM	url:	https://www.synology.com/en-global/support/security/Synology_SA_17_65_DSM	Trust: 0.8
title:	Synology DiskStation Manager Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100124	Trust: 0.6

sources: JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152

EXTERNAL IDS

db:	NVD	id:	CVE-2017-15889	Trust: 2.5
db:	PACKETSTORM	id:	157807	Trust: 1.7
db:	JVNDB	id:	JVNDB-2017-011197	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-1152	Trust: 0.7
db:	EXPLOIT-DB	id:	48514	Trust: 0.7
db:	VULHUB	id:	VHN-106756	Trust: 0.1

sources: VULHUB: VHN-106756 // JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152 // NVD: CVE-2017-15889

REFERENCES

url:	https://www.synology.com/en-global/support/security/synology_sa_17_65_dsm	Trust: 1.7
url:	http://packetstormsecurity.com/files/157807/synology-diskstation-manager-smart.cgi-remote-command-execution.html	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15889	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-15889	Trust: 0.8
url:	https://www.exploit-db.com/exploits/48514	Trust: 0.6

sources: VULHUB: VHN-106756 // JVNDB: JVNDB-2017-011197 // CNNVD: CNNVD-201710-1152 // NVD: CVE-2017-15889

CREDITS

Nigusu Kassahu,h00die

Trust: 0.6

sources: CNNVD: CNNVD-201710-1152

SOURCES

db:	VULHUB	id:	VHN-106756
db:	JVNDB	id:	JVNDB-2017-011197
db:	CNNVD	id:	CNNVD-201710-1152
db:	NVD	id:	CVE-2017-15889

LAST UPDATE DATE

2024-11-23T22:00:48.543000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-106756	date:	2020-05-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-011197	date:	2018-01-11T00:00:00
db:	CNNVD	id:	CNNVD-201710-1152	date:	2020-05-26T00:00:00
db:	NVD	id:	CVE-2017-15889	date:	2024-11-21T03:15:24.980

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-106756	date:	2017-12-04T00:00:00
db:	JVNDB	id:	JVNDB-2017-011197	date:	2018-01-11T00:00:00
db:	CNNVD	id:	CNNVD-201710-1152	date:	2017-10-27T00:00:00
db:	NVD	id:	CVE-2017-15889	date:	2017-12-04T19:29:00.297