Sign-up

ID

VAR-201904-0599


CVE

CVE-2018-13284


TITLE

Synology Diskstation Manager In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015185

DESCRIPTION

Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. The vulnerability comes from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

Trust: 1.71

sources: NVD: CVE-2018-13284 // JVNDB: JVNDB-2018-015185 // VULHUB: VHN-123328

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:ltversion:6.2-23739-1

Trust: 1.8

vendor:synologymodel:diskstation managerscope:gteversion:6.1

Trust: 1.0

vendor:synologymodel:diskstation managerscope:gteversion:6.2

Trust: 1.0

vendor:synologymodel:diskstation managerscope:gteversion:5.2

Trust: 1.0

vendor:synologymodel:diskstation managerscope:ltversion:6.1.7-15284-1

Trust: 1.0

vendor:synologymodel:diskstation managerscope:ltversion:6.0.3-8754-8

Trust: 1.0

vendor:synologymodel:diskstation managerscope:gteversion:6.0

Trust: 1.0

vendor:synologymodel:diskstation managerscope:ltversion:5.2-5967-8

Trust: 1.0

sources: JVNDB: JVNDB-2018-015185 // NVD: CVE-2018-13284

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13284
value: HIGH

Trust: 1.0

security@synology.com: CVE-2018-13284
value: HIGH

Trust: 1.0

NVD: CVE-2018-13284
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201904-004
value: HIGH

Trust: 0.6

VULHUB: VHN-123328
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-13284
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-123328
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13284
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

security@synology.com: CVE-2018-13284
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-123328 // JVNDB: JVNDB-2018-015185 // CNNVD: CNNVD-201904-004 // NVD: CVE-2018-13284 // NVD: CVE-2018-13284

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-123328 // JVNDB: JVNDB-2018-015185 // NVD: CVE-2018-13284

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-004

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-004

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015185

PATCH
title:Synology-SA-18:33 DSMurl:https://www.synology.com/security/advisory/Synology_SA_18_33
Trust: 0.8
title:Synology DiskStation Manager Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90920
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-015185 // 
            
            
            
            CNNVD: CNNVD-201904-004

EXTERNAL IDS
db:NVDid:CVE-2018-13284
Trust: 2.5
db:JVNDBid:JVNDB-2018-015185
Trust: 0.8
db:CNNVDid:CNNVD-201904-004
Trust: 0.7
db:VULHUBid:VHN-123328
Trust: 0.1
sources:
            
            
            VULHUB: VHN-123328 // 
            
            
            
            JVNDB: JVNDB-2018-015185 // 
            
            
            
            CNNVD: CNNVD-201904-004 // 
            
            
            
            NVD: CVE-2018-13284

REFERENCES
url:https://www.synology.com/security/advisory/synology_sa_18_33
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-13284
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13284
Trust: 0.8
sources:
            
            
            VULHUB: VHN-123328 // 
            
            
            
            JVNDB: JVNDB-2018-015185 // 
            
            
            
            CNNVD: CNNVD-201904-004 // 
            
            
            
            NVD: CVE-2018-13284

SOURCES
db:VULHUBid:VHN-123328
db:JVNDBid:JVNDB-2018-015185
db:CNNVDid:CNNVD-201904-004
db:NVDid:CVE-2018-13284

LAST UPDATE DATE
2024-11-23T21:37:28.678000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-123328date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-015185date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-004date:2019-10-10T00:00:00
db:NVDid:CVE-2018-13284date:2024-11-21T03:46:45.403

SOURCES RELEASE DATE
db:VULHUBid:VHN-123328date:2019-04-01T00:00:00
db:JVNDBid:JVNDB-2018-015185date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-004date:2019-04-01T00:00:00
db:NVDid:CVE-2018-13284date:2019-04-01T15:29:00.390