Details of VAR-202106-1476

ID

VAR-202106-1476

CVE

CVE-2021-29085

TITLE

Synology DiskStation Manager Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-008492

DESCRIPTION

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. Synology DiskStation Manager (DSM) Is vulnerable to injection.Information may be obtained. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information

Trust: 1.71

sources: NVD: CVE-2021-29085 // JVNDB: JVNDB-2021-008492 // VULHUB: VHN-388625

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager unified controller	scope:	lt	version:	3.1-23033	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-3	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.2	Trust: 1.0
vendor:	synology	model:	diskstation manager unified controller	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-008492 // NVD: CVE-2021-29085

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-29085
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-29085
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-29085
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202106-1618
value:	HIGH
Trust: 0.6
VULHUB:	VHN-388625
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-29085
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-388625
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-29085
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2021-29085
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-29085
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-388625 // JVNDB: JVNDB-2021-008492 // CNNVD: CNNVD-202106-1618 // NVD: CVE-2021-29085 // NVD: CVE-2021-29085

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.1
problemtype:	injection (CWE-74) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-388625 // JVNDB: JVNDB-2021-008492 // NVD: CVE-2021-29085

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1618

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202106-1618

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_26	Trust: 0.8
title:	Synology DiskStation Manager Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155550	Trust: 0.6

sources: JVNDB: JVNDB-2021-008492 // CNNVD: CNNVD-202106-1618

EXTERNAL IDS

db:	NVD	id:	CVE-2021-29085	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-008492	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-1618	Trust: 0.7
db:	VULHUB	id:	VHN-388625	Trust: 0.1

sources: VULHUB: VHN-388625 // JVNDB: JVNDB-2021-008492 // CNNVD: CNNVD-202106-1618 // NVD: CVE-2021-29085

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_26	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-29085	Trust: 0.8

sources: VULHUB: VHN-388625 // JVNDB: JVNDB-2021-008492 // CNNVD: CNNVD-202106-1618 // NVD: CVE-2021-29085

SOURCES

db:	VULHUB	id:	VHN-388625
db:	JVNDB	id:	JVNDB-2021-008492
db:	CNNVD	id:	CNNVD-202106-1618
db:	NVD	id:	CVE-2021-29085

LAST UPDATE DATE

2024-08-14T14:11:21.542000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-388625	date:	2021-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-008492	date:	2022-03-18T01:13:00
db:	CNNVD	id:	CNNVD-202106-1618	date:	2021-06-30T00:00:00
db:	NVD	id:	CVE-2021-29085	date:	2021-06-29T19:50:28.217

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-388625	date:	2021-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-008492	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202106-1618	date:	2021-06-23T00:00:00
db:	NVD	id:	CVE-2021-29085	date:	2021-06-23T10:15:08.347