Lucene search

SynologyCVE-2022-27617

HistoryAug 03, 2022 - 3:15 a.m.

CVE-2022-27617

2022-08-0303:15:08

CWE-22

synology

web.nvd.nist.gov

cve-2022-27617

path traversal

synology calendar

vulnerability

web security

remote authenticated users

arbitrary file download

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

0.001

Percentile

26.9%

JSON

Improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors.

Affected configurations

Nvd

Node

synologycalendarRange<2.3.4-0631

AND

synologydiskstation_managerMatch6.2

VendorProductVersionCPE
synologycalendar*cpe:2.3:a:synology:calendar:*:*:*:*:*:*:*:*
synologydiskstation_manager6.2cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
synology	calendar	*	cpe:2.3:a:synology:calendar::::::::
synology	diskstation_manager	6.2	cpe:2.3:a:synology:diskstation_manager:6.2:::::::*

CNA Affected

[
  {
    "product": "Synology Calendar",
    "vendor": "Synology",
    "versions": [
      {
        "lessThan": "2.3.4-0631",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.synology.com/security/advisory/Synology_SA_20_07

Social References

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

0.001

Percentile

26.9%

JSON

Related for CVE-2022-27617