CVE-2022-27616

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.synology.com/security/advisory/Synology_SA_22_03	Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_22_03	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:synology:diskstation_manager::::::::
	cpe:2.3:o:synology:diskstation_manager::::::::

History

14 Jan 2025, 19:29

Type	Values Removed	Values Added
CPE	cpe:2.3:a:synology:diskstation_manager::::::::	cpe:2.3:o:synology:diskstation_manager::::::::

21 Nov 2024, 06:56

Type	Values Removed	Values Added
References	~~() https://www.synology.com/security/advisory/Synology_SA_22_03 - Vendor Advisory~~	() https://www.synology.com/security/advisory/Synology_SA_22_03 - Vendor Advisory

10 Aug 2022, 15:54

Type	Values Removed	Values Added
References	~~(CONFIRM) https://www.synology.com/security/advisory/Synology_SA_22_03 -~~	(CONFIRM) https://www.synology.com/security/advisory/Synology_SA_22_03 - Vendor Advisory
CPE		cpe:2.3:a:synology:diskstation_manager::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

03 Aug 2022, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-03 02:15

Updated : 2025-01-14 19:29

NVD link : CVE-2022-27616

Mitre link : CVE-2022-27616

CVE.ORG link : CVE-2022-27616

JSON object : View

Products Affected

synology

diskstation_manager

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2022-27616", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@synology.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-08-03T02:15:07.613", "references": [{"url": "https://www.synology.com/security/advisory/Synology_SA_22_03", "tags": ["Vendor Advisory"], "source": "security@synology.com"}, {"url": "https://www.synology.com/security/advisory/Synology_SA_22_03", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@synology.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors."}, {"lang": "es", "value": "Una vulnerabilidad de neutralizaci\u00f3n inapropiada de los elementos especiales usados en un comando del Sistema Operativo (\"Inyecci\u00f3n de Comandos del Sistema Operativo\") en el componente webapi en Synology DiskStation Manager (DSM) versiones anteriores a 7.0.1-42218-3, permite a usuarios remotos autenticados ejecutar comandos arbitrarios por medio de vectores no especificados"}], "lastModified": "2025-01-14T19:29:55.853", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43222A84-AA2B-4C84-BC6C-21603CA1C050", "versionEndExcluding": "6.2.4-25556-5", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E59872F9-087A-472A-90F6-423F9BB4012C", "versionEndExcluding": "7.0.1-42218-3", "versionStartIncluding": "7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@synology.com"}