Lucene search

SynologyCVELIST:CVE-2020-27648

HistoryOct 29, 2020 - 9:00 a.m.

CVE-2020-27648

2020-10-2909:00:25

CWE-295

synology

www.cve.org

openvpn

synology diskstation manager

certificate validation

man-in-the-middle attackers

servers

sensitive information

crafted certificate

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

38.2%

JSON

Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CNA Affected

[
  {
    "product": "DiskStation Manager (DSM)",
    "vendor": "Synology",
    "versions": [
      {
        "lessThan": "6.2.3-25426-2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.synology.com/security/advisory/Synology_SA_20_18

www.talosintelligence.com/vulnerability_reports/TALOS-2020-1058

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

38.2%

JSON

Related for CVELIST:CVE-2020-27648