Details of VAR-201712-0201

ID

VAR-201712-0201

CVE

CVE-2017-15894

TITLE

Synology DiskStation Manager Path traversal vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2017-010912 // CNNVD: CNNVD-201710-1147

DESCRIPTION

Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. Synology DiskStation Manager (DSM) Contains a path traversal vulnerability.Information may be tampered with. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. A directory traversal vulnerability exists in Synology DSM 6.0.x versions prior to 6.0.3-8754-3 and SYNO.FileStation.Extract in versions prior to 5.2-5967-6

Trust: 1.71

sources: NVD: CVE-2017-15894 // JVNDB: JVNDB-2017-010912 // VULHUB: VHN-106762

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	5.2-5967-6	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	gte	version:	5.2	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.0.3-8754-3	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.0	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.0.x	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	eq	version:	6.0.3-8754-3	Trust: 0.8

sources: JVNDB: JVNDB-2017-010912 // NVD: CVE-2017-15894

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-15894
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-15894
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201710-1147
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-106762
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-15894
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-106762
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-15894
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-106762 // JVNDB: JVNDB-2017-010912 // CNNVD: CNNVD-201710-1147 // NVD: CVE-2017-15894

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-106762 // JVNDB: JVNDB-2017-010912 // NVD: CVE-2017-15894

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1147

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201710-1147

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-010912

PATCH

title:	Synology-SA-17:70 DSM	url:	https://www.synology.com/en-global/support/security/Synology_SA_17_70_DSM	Trust: 0.8
title:	Synology DiskStation Manager Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100120	Trust: 0.6

sources: JVNDB: JVNDB-2017-010912 // CNNVD: CNNVD-201710-1147

EXTERNAL IDS

db:	NVD	id:	CVE-2017-15894	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-010912	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-1147	Trust: 0.7
db:	VULHUB	id:	VHN-106762	Trust: 0.1

sources: VULHUB: VHN-106762 // JVNDB: JVNDB-2017-010912 // CNNVD: CNNVD-201710-1147 // NVD: CVE-2017-15894

REFERENCES

url:	https://www.synology.com/en-global/support/security/synology_sa_17_70_dsm	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15894	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-15894	Trust: 0.8

sources: VULHUB: VHN-106762 // JVNDB: JVNDB-2017-010912 // CNNVD: CNNVD-201710-1147 // NVD: CVE-2017-15894

SOURCES

db:	VULHUB	id:	VHN-106762
db:	JVNDB	id:	JVNDB-2017-010912
db:	CNNVD	id:	CNNVD-201710-1147
db:	NVD	id:	CVE-2017-15894

LAST UPDATE DATE

2024-11-23T23:08:52.947000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-106762	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-010912	date:	2017-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201710-1147	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-15894	date:	2024-11-21T03:15:25.533

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-106762	date:	2017-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-010912	date:	2017-12-27T00:00:00
db:	CNNVD	id:	CNNVD-201710-1147	date:	2017-10-27T00:00:00
db:	NVD	id:	CVE-2017-15894	date:	2017-12-08T16:29:00.307