Lucene search

SynologyCVE-2017-11149

HistoryAug 14, 2017 - 7:29 p.m.

CVE-2017-11149

2017-08-1419:29:00

CWE-918

synology

web.nvd.nist.gov

cve-2017-11149

synology download station

ssrf

vulnerability

security

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

22.9%

JSON

Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.

Affected configurations

Nvd

Node

synologydownload_stationMatch3.2-2295

synologydownload_stationMatch3.3-2382

synologydownload_stationMatch3.3-2383

synologydownload_stationMatch3.3-2386

synologydownload_stationMatch3.4-2477

synologydownload_stationMatch3.4-2478

synologydownload_stationMatch3.4-2480

synologydownload_stationMatch3.4-2485

synologydownload_stationMatch3.4-2486

synologydownload_stationMatch3.4-2489

synologydownload_stationMatch3.4-2490

synologydownload_stationMatch3.4-2514

synologydownload_stationMatch3.4-2555

synologydownload_stationMatch3.4-2557

synologydownload_stationMatch3.4-2558

synologydownload_stationMatch3.5-2638

synologydownload_stationMatch3.5-2705

synologydownload_stationMatch3.5-2706

synologydownload_stationMatch3.5-2955

synologydownload_stationMatch3.5-2956

synologydownload_stationMatch3.5-2962

synologydownload_stationMatch3.5-2963

synologydownload_stationMatch3.5-2967

synologydownload_stationMatch3.5-2968

synologydownload_stationMatch3.5-2970

synologydownload_stationMatch3.5-2973

synologydownload_stationMatch3.5-2980

synologydownload_stationMatch3.5-2982

synologydownload_stationMatch3.8.0-3416

synologydownload_stationMatch3.8.1-3420

synologydownload_stationMatch3.8.2-3455

synologydownload_stationMatch3.8.3-3458

synologydownload_stationMatch3.8.4-3468

VendorProductVersionCPE
synologydownload_station3.2-2295cpe:2.3:a:synology:download_station:3.2-2295:*:*:*:*:*:*:*
synologydownload_station3.3-2382cpe:2.3:a:synology:download_station:3.3-2382:*:*:*:*:*:*:*
synologydownload_station3.3-2383cpe:2.3:a:synology:download_station:3.3-2383:*:*:*:*:*:*:*
synologydownload_station3.3-2386cpe:2.3:a:synology:download_station:3.3-2386:*:*:*:*:*:*:*
synologydownload_station3.4-2477cpe:2.3:a:synology:download_station:3.4-2477:*:*:*:*:*:*:*
synologydownload_station3.4-2478cpe:2.3:a:synology:download_station:3.4-2478:*:*:*:*:*:*:*
synologydownload_station3.4-2480cpe:2.3:a:synology:download_station:3.4-2480:*:*:*:*:*:*:*
synologydownload_station3.4-2485cpe:2.3:a:synology:download_station:3.4-2485:*:*:*:*:*:*:*
synologydownload_station3.4-2486cpe:2.3:a:synology:download_station:3.4-2486:*:*:*:*:*:*:*
synologydownload_station3.4-2489cpe:2.3:a:synology:download_station:3.4-2489:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
synology	download_station	3.2-2295	cpe:2.3:a:synology:download_station:3.2-2295:::::::*
synology	download_station	3.3-2382	cpe:2.3:a:synology:download_station:3.3-2382:::::::*
synology	download_station	3.3-2383	cpe:2.3:a:synology:download_station:3.3-2383:::::::*
synology	download_station	3.3-2386	cpe:2.3:a:synology:download_station:3.3-2386:::::::*
synology	download_station	3.4-2477	cpe:2.3:a:synology:download_station:3.4-2477:::::::*
synology	download_station	3.4-2478	cpe:2.3:a:synology:download_station:3.4-2478:::::::*
synology	download_station	3.4-2480	cpe:2.3:a:synology:download_station:3.4-2480:::::::*
synology	download_station	3.4-2485	cpe:2.3:a:synology:download_station:3.4-2485:::::::*
synology	download_station	3.4-2486	cpe:2.3:a:synology:download_station:3.4-2486:::::::*
synology	download_station	3.4-2489	cpe:2.3:a:synology:download_station:3.4-2489:::::::*

Rows per page:

1-10 of 331

CNA Affected

[
  {
    "product": "Synology Download Station",
    "vendor": "Synology",
    "versions": [
      {
        "status": "affected",
        "version": "3.8.x before 3.8.5-3475 and 3.x before 3.5-2984"
      }
    ]
  }
]

References

www.synology.com/en-global/support/security/Synology_SA_17_28_Download_Station

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

22.9%

JSON

Related for CVE-2017-11149