Sign-up

ID

VAR-201904-0600


CVE

CVE-2018-13285


TITLE

Synology Router Manager In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-015184

DESCRIPTION

Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Synology Router Manager (SRM) is a software for configuring and managing Synology routers developed by Synology, Taiwan. The vulnerability comes from the fact that the network system or product does not properly filter special elements in the process of constructing executable commands from external input data. Attackers can exploit this vulnerability to execute illegal commands

Trust: 1.71

sources: NVD: CVE-2018-13285 // JVNDB: JVNDB-2018-015184 // VULHUB: VHN-123329

AFFECTED PRODUCTS

vendor:synologymodel:router managerscope:ltversion:1.1.7-6941-1

Trust: 1.8

vendor:synologymodel:router managerscope:gteversion:1.1

Trust: 1.0

sources: JVNDB: JVNDB-2018-015184 // NVD: CVE-2018-13285

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13285
value: HIGH

Trust: 1.0

security@synology.com: CVE-2018-13285
value: HIGH

Trust: 1.0

NVD: CVE-2018-13285
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201904-009
value: HIGH

Trust: 0.6

VULHUB: VHN-123329
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-13285
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-123329
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13285
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

security@synology.com: CVE-2018-13285
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-123329 // JVNDB: JVNDB-2018-015184 // CNNVD: CNNVD-201904-009 // NVD: CVE-2018-13285 // NVD: CVE-2018-13285

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-123329 // JVNDB: JVNDB-2018-015184 // NVD: CVE-2018-13285

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-009

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201904-009

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015184

PATCH
title:Synology-SA-18:34 SRMurl:https://www.synology.com/security/advisory/Synology_SA_18_34
Trust: 0.8
title:Synology Router Manager Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90925
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-015184 // 
            
            
            
            CNNVD: CNNVD-201904-009

EXTERNAL IDS
db:NVDid:CVE-2018-13285
Trust: 2.5
db:JVNDBid:JVNDB-2018-015184
Trust: 0.8
db:CNNVDid:CNNVD-201904-009
Trust: 0.7
db:VULHUBid:VHN-123329
Trust: 0.1
sources:
            
            
            VULHUB: VHN-123329 // 
            
            
            
            JVNDB: JVNDB-2018-015184 // 
            
            
            
            CNNVD: CNNVD-201904-009 // 
            
            
            
            NVD: CVE-2018-13285

REFERENCES
url:https://www.synology.com/security/advisory/synology_sa_18_34
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-13285
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13285
Trust: 0.8
sources:
            
            
            VULHUB: VHN-123329 // 
            
            
            
            JVNDB: JVNDB-2018-015184 // 
            
            
            
            CNNVD: CNNVD-201904-009 // 
            
            
            
            NVD: CVE-2018-13285

SOURCES
db:VULHUBid:VHN-123329
db:JVNDBid:JVNDB-2018-015184
db:CNNVDid:CNNVD-201904-009
db:NVDid:CVE-2018-13285

LAST UPDATE DATE
2024-11-23T22:55:37.619000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-123329date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-015184date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-009date:2019-10-10T00:00:00
db:NVDid:CVE-2018-13285date:2024-11-21T03:46:45.527

SOURCES RELEASE DATE
db:VULHUBid:VHN-123329date:2019-04-01T00:00:00
db:JVNDBid:JVNDB-2018-015184date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-009date:2019-04-01T00:00:00
db:NVDid:CVE-2018-13285date:2019-04-01T15:29:00.420