Details of VAR-202102-1228

ID

VAR-202102-1228

CVE

CVE-2021-26564

TITLE

Synology DiskStation Manager Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-004173

DESCRIPTION

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager before 6.2.3-25426-3. This vulnerability is caused by a vulnerability in the transmission of sensitive information in plaintext. Attackers can use this vulnerability to deceive the server through HTTP sessions

Trust: 2.34

sources: NVD: CVE-2021-26564 // JVNDB: JVNDB-2021-004173 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385705 // VULMON: CVE-2021-26564

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-3	Trust: 1.0
vendor:	synology	model:	diskstation manager unified controller	scope:	eq	version:	3.0	Trust: 1.0
vendor:	synology	model:	skynas	scope:	eq	version:	-	Trust: 1.0
vendor:	synology	model:	vs960hd	scope:	eq	version:	-	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager unified controller	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	skynas	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	vs960hd	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-004173 // NVD: CVE-2021-26564

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-26564
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-26564
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-26564
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202102-1706
value:	HIGH
Trust: 0.6
VULHUB:	VHN-385705
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-26564
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-26564
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-385705
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-26564
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.8
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2021-26564
baseSeverity:	HIGH
baseScore:	8.3
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.6
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-26564
baseSeverity:	HIGH
baseScore:	8.7
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-385705 // VULMON: CVE-2021-26564 // JVNDB: JVNDB-2021-004173 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202102-1706 // NVD: CVE-2021-26564 // NVD: CVE-2021-26564

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	Sending important information in clear text (CWE-319) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-385705 // JVNDB: JVNDB-2021-004173 // NVD: CVE-2021-26564

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1706

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202102-1706

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/security/advisory/Synology_SA_20_26	Trust: 0.8
title:	Synology DiskStation Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143556	Trust: 0.6

sources: JVNDB: JVNDB-2021-004173 // CNNVD: CNNVD-202102-1706

EXTERNAL IDS

db:	NVD	id:	CVE-2021-26564	Trust: 2.6
db:	TALOS	id:	TALOS-2020-1160	Trust: 1.8
db:	JVNDB	id:	JVNDB-2021-004173	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021042002	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-1706	Trust: 0.6
db:	VULHUB	id:	VHN-385705	Trust: 0.1
db:	VULMON	id:	CVE-2021-26564	Trust: 0.1

sources: VULHUB: VHN-385705 // VULMON: CVE-2021-26564 // JVNDB: JVNDB-2021-004173 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202102-1706 // NVD: CVE-2021-26564

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_26	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26564	Trust: 1.4
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2020-1160	Trust: 1.2
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://talosintelligence.com/vulnerability_reports/talos-2020-1160	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042002	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/319.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-385705 // VULMON: CVE-2021-26564 // JVNDB: JVNDB-2021-004173 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202102-1706 // NVD: CVE-2021-26564

SOURCES

db:	VULHUB	id:	VHN-385705
db:	VULMON	id:	CVE-2021-26564
db:	JVNDB	id:	JVNDB-2021-004173
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202102-1706
db:	NVD	id:	CVE-2021-26564

LAST UPDATE DATE

2024-11-23T20:14:03.650000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-385705	date:	2022-04-26T00:00:00
db:	VULMON	id:	CVE-2021-26564	date:	2021-05-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-004173	date:	2021-11-16T06:39:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202102-1706	date:	2021-05-13T00:00:00
db:	NVD	id:	CVE-2021-26564	date:	2024-11-21T05:56:29.543

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-385705	date:	2021-02-26T00:00:00
db:	VULMON	id:	CVE-2021-26564	date:	2021-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-004173	date:	2021-11-16T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202102-1706	date:	2021-02-26T00:00:00
db:	NVD	id:	CVE-2021-26564	date:	2021-02-26T22:15:20.300