Details of VAR-202010-0961

ID

VAR-202010-0961

CVE

CVE-2020-27650

TITLE

Synology DiskStation Manager Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2020-012870

DESCRIPTION

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. Synology DiskStation Manager (DSM) There is a vulnerability in the lack of encryption of critical data.Information may be obtained. Synology DiskStation Manager (DSM) is a product of China Taiwan (DSM) and others are products of China Taiwan Synology Technology (Synology) company. Synology DiskStation Manager is an operating system for network storage servers (NAS). HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer security protocol) and so on are all products. HTTPS is a network security transmission protocol, and the Debian project apt, etc. are all products of the Debian project (Debian project) cooperative organization. apt is a command-line package manager

Trust: 1.8

sources: NVD: CVE-2020-27650 // JVNDB: JVNDB-2020-012870 // VULHUB: VHN-371559 // VULMON: CVE-2020-27650

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.2	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-2	Trust: 1.0
vendor:	synology	model:	skynas	scope:	lt	version:	6.2.3-25426	Trust: 1.0
vendor:	synology	model:	skynas	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-012870 // NVD: CVE-2020-27650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-27650
value:	LOW
Trust: 1.0
security@synology.com:	CVE-2020-27650
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-27650
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-202010-1643
value:	LOW
Trust: 0.6
VULHUB:	VHN-371559
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-27650
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-371559
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-27650
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	1.4
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2020-27650
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	1.6
impactScore:	3.7
version:	3.1
Trust: 1.0
NVD:	CVE-2020-27650
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-371559 // JVNDB: JVNDB-2020-012870 // CNNVD: CNNVD-202010-1643 // NVD: CVE-2020-27650 // NVD: CVE-2020-27650

PROBLEMTYPE DATA

problemtype:	CWE-311	Trust: 1.1
problemtype:	CWE-614	Trust: 1.0
problemtype:	Lack of encryption of critical data (CWE-311) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-371559 // JVNDB: JVNDB-2020-012870 // NVD: CVE-2020-27650

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202010-1643

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202010-1643

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_18	Trust: 0.8
title:	Synology DiskStation Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=132453	Trust: 0.6

sources: JVNDB: JVNDB-2020-012870 // CNNVD: CNNVD-202010-1643

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27650	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-012870	Trust: 0.8
db:	CNNVD	id:	CNNVD-202010-1643	Trust: 0.7
db:	CNVD	id:	CNVD-2020-60452	Trust: 0.1
db:	VULHUB	id:	VHN-371559	Trust: 0.1
db:	VULMON	id:	CVE-2020-27650	Trust: 0.1

sources: VULHUB: VHN-371559 // VULMON: CVE-2020-27650 // JVNDB: JVNDB-2020-012870 // CNNVD: CNNVD-202010-1643 // NVD: CVE-2020-27650

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_18	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27650	Trust: 1.4
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-371559 // VULMON: CVE-2020-27650 // JVNDB: JVNDB-2020-012870 // CNNVD: CNNVD-202010-1643 // NVD: CVE-2020-27650

SOURCES

db:	VULHUB	id:	VHN-371559
db:	VULMON	id:	CVE-2020-27650
db:	JVNDB	id:	JVNDB-2020-012870
db:	CNNVD	id:	CNNVD-202010-1643
db:	NVD	id:	CVE-2020-27650

LAST UPDATE DATE

2024-11-23T23:11:16.113000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-371559	date:	2020-11-05T00:00:00
db:	VULMON	id:	CVE-2020-27650	date:	2020-11-05T00:00:00
db:	JVNDB	id:	JVNDB-2020-012870	date:	2021-06-11T07:50:00
db:	CNNVD	id:	CNNVD-202010-1643	date:	2020-11-06T00:00:00
db:	NVD	id:	CVE-2020-27650	date:	2024-11-21T05:21:35.557

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-371559	date:	2020-10-29T00:00:00
db:	VULMON	id:	CVE-2020-27650	date:	2020-10-29T00:00:00
db:	JVNDB	id:	JVNDB-2020-012870	date:	2021-06-11T00:00:00
db:	CNNVD	id:	CNNVD-202010-1643	date:	2020-10-29T00:00:00
db:	NVD	id:	CVE-2020-27650	date:	2020-10-29T09:15:12.793