Details of VAR-202102-1276

ID

VAR-202102-1276

CVE

CVE-2021-26560

TITLE

Synology DiskStation Manager Vulnerability in plaintext transmission of important information in

Trust: 0.8

sources: JVNDB: JVNDB-2021-004174

DESCRIPTION

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in Synology DiskStation Manager (DSM) before 6.2.3-25426-3

Trust: 2.25

sources: NVD: CVE-2021-26560 // JVNDB: JVNDB-2021-004174 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-385701

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-3	Trust: 1.0
vendor:	synology	model:	diskstation manager unified controller	scope:	eq	version:	3.0	Trust: 1.0
vendor:	synology	model:	skynas	scope:	eq	version:	-	Trust: 1.0
vendor:	synology	model:	vs960hd	scope:	eq	version:	-	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager unified controller	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	skynas	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	vs960hd	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-004174 // NVD: CVE-2021-26560

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-26560
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-26560
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-26560
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202102-1712
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-385701
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-26560
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2021-26560
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-385701
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-26560
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2021-26560
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-26560
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-385701 // JVNDB: JVNDB-2021-004174 // CNNVD: CNNVD-202102-1712 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26560 // NVD: CVE-2021-26560

PROBLEMTYPE DATA

problemtype:	CWE-319	Trust: 1.1
problemtype:	Sending important information in clear text (CWE-319) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-385701 // JVNDB: JVNDB-2021-004174 // NVD: CVE-2021-26560

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1712

TYPE

other

Trust: 1.2

sources: CNNVD: CNNVD-202102-1712 // CNNVD: CNNVD-202104-975

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/security/advisory/Synology_SA_20_26	Trust: 0.8
title:	Synology DiskStation Manager Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=143568	Trust: 0.6

sources: JVNDB: JVNDB-2021-004174 // CNNVD: CNNVD-202102-1712

EXTERNAL IDS

db:	NVD	id:	CVE-2021-26560	Trust: 2.5
db:	TALOS	id:	TALOS-2020-1159	Trust: 1.7
db:	JVNDB	id:	JVNDB-2021-004174	Trust: 0.8
db:	CS-HELP	id:	SB2021042002	Trust: 0.6
db:	CNNVD	id:	CNNVD-202102-1712	Trust: 0.6
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	VULHUB	id:	VHN-385701	Trust: 0.1

sources: VULHUB: VHN-385701 // JVNDB: JVNDB-2021-004174 // CNNVD: CNNVD-202102-1712 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26560

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_26	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-26560	Trust: 1.4
url:	https://talosintelligence.com/vulnerability_reports/talos-2020-1159	Trust: 1.2
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2020-1159	Trust: 1.1
url:	https://www.cybersecurity-help.cz/vdb/sb2021042002	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6

sources: VULHUB: VHN-385701 // JVNDB: JVNDB-2021-004174 // CNNVD: CNNVD-202102-1712 // CNNVD: CNNVD-202104-975 // NVD: CVE-2021-26560

CREDITS

Discovered by Claudio Bozzato and Lilith >_> of Cisco Talos.

Trust: 0.6

sources: CNNVD: CNNVD-202102-1712

SOURCES

db:	VULHUB	id:	VHN-385701
db:	JVNDB	id:	JVNDB-2021-004174
db:	CNNVD	id:	CNNVD-202102-1712
db:	CNNVD	id:	CNNVD-202104-975
db:	NVD	id:	CVE-2021-26560

LAST UPDATE DATE

2024-11-23T20:07:43.845000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-385701	date:	2022-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-004174	date:	2021-11-16T06:39:00
db:	CNNVD	id:	CNNVD-202102-1712	date:	2022-04-27T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	NVD	id:	CVE-2021-26560	date:	2024-11-21T05:56:28.210

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-385701	date:	2021-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-004174	date:	2021-11-16T00:00:00
db:	CNNVD	id:	CNNVD-202102-1712	date:	2021-02-26T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	NVD	id:	CVE-2021-26560	date:	2021-02-26T22:15:19.643