CVE-2021-29084
Synology DiskStation Manager webapi CRLF Injection Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
Una vulnerabilidad de neutralización inapropiada de elementos especiales en la salida usada por un componente descendente ("Injection") en el componente de administración de informes Security Advisor en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Synology DS418play. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the webapi component. The issue results from incorrect neutralization of CRLF sequences in HTTP requests. An attacker can leverage this vulnerability to disclose information in the context of the Admin user.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-23 CVE Reserved
- 2021-05-25 CVE Published
- 2024-09-16 CVE Updated
- 2024-10-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.synology.com/security/advisory/Synology_SA_20_26 | 2021-06-29 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Synology Search vendor "Synology" | Diskstation Manager Search vendor "Synology" for product "Diskstation Manager" | >= 6.2 < 6.2.3-25426-3 Search vendor "Synology" for product "Diskstation Manager" and version " >= 6.2 < 6.2.3-25426-3" | - |
Affected
| ||||||
Synology Search vendor "Synology" | Diskstation Manager Unified Controller Search vendor "Synology" for product "Diskstation Manager Unified Controller" | < 3.1-23033 Search vendor "Synology" for product "Diskstation Manager Unified Controller" and version " < 3.1-23033" | - |
Affected
|