Details of VAR-202106-1478

ID

VAR-202106-1478

CVE

CVE-2021-29087

TITLE

Synology DiskStation Manager Traversal Vulnerability in Japan

Trust: 0.8

sources: JVNDB: JVNDB-2021-008494

DESCRIPTION

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors. Synology DiskStation Manager (DSM) Contains a path traversal vulnerability.Information may be tampered with. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information

Trust: 1.71

sources: NVD: CVE-2021-29087 // JVNDB: JVNDB-2021-008494 // VULHUB: VHN-388627

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager unified controller	scope:	lt	version:	3.1-23033	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.2.3-25426-3	Trust: 1.0
vendor:	synology	model:	diskstation manager	scope:	gte	version:	6.2	Trust: 1.0
vendor:	synology	model:	diskstation manager unified controller	scope:	-	version:	-	Trust: 0.8
vendor:	synology	model:	diskstation manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-008494 // NVD: CVE-2021-29087

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-29087
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-29087
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-29087
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202106-1620
value:	HIGH
Trust: 0.6
VULHUB:	VHN-388627
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-29087
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-388627
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-29087
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-008494
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-388627 // JVNDB: JVNDB-2021-008494 // CNNVD: CNNVD-202106-1620 // NVD: CVE-2021-29087 // NVD: CVE-2021-29087

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	Path traversal (CWE-22) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-388627 // JVNDB: JVNDB-2021-008494 // NVD: CVE-2021-29087

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-1620

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202106-1620

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_26	Trust: 0.8
title:	Synology DiskStation Manager Repair measures for path traversal vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155552	Trust: 0.6

sources: JVNDB: JVNDB-2021-008494 // CNNVD: CNNVD-202106-1620

EXTERNAL IDS

db:	NVD	id:	CVE-2021-29087	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-008494	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-1620	Trust: 0.7
db:	VULHUB	id:	VHN-388627	Trust: 0.1

sources: VULHUB: VHN-388627 // JVNDB: JVNDB-2021-008494 // CNNVD: CNNVD-202106-1620 // NVD: CVE-2021-29087

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_26	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-29087	Trust: 0.8

sources: VULHUB: VHN-388627 // JVNDB: JVNDB-2021-008494 // CNNVD: CNNVD-202106-1620 // NVD: CVE-2021-29087

SOURCES

db:	VULHUB	id:	VHN-388627
db:	JVNDB	id:	JVNDB-2021-008494
db:	CNNVD	id:	CNNVD-202106-1620
db:	NVD	id:	CVE-2021-29087

LAST UPDATE DATE

2024-08-14T14:55:55.606000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-388627	date:	2021-06-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-008494	date:	2022-03-18T01:13:00
db:	CNNVD	id:	CNNVD-202106-1620	date:	2021-06-30T00:00:00
db:	NVD	id:	CVE-2021-29087	date:	2021-06-29T19:44:15.820

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-388627	date:	2021-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-008494	date:	2022-03-18T00:00:00
db:	CNNVD	id:	CNNVD-202106-1620	date:	2021-06-23T00:00:00
db:	NVD	id:	CVE-2021-29087	date:	2021-06-23T10:15:08.473