CVE-2024-39347 - OpenCVE

Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

References

No reference.

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: synology

Published: 2024-06-28T06:30:10.727Z

Updated: 2024-07-02T16:39:01.301Z

Reserved: 2024-06-24T10:57:17.890Z

Link: CVE-2024-39347

JSON object: View

NVD Information

No data.

Redhat Information

No data.

CWE

CWE-276

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39347", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-06-24T10:57:17.890Z", "datePublished": "2024-06-28T06:30:10.727Z", "dateUpdated": "2024-07-02T16:39:01.301Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-276: Incorrect Default Permissions", "cweId": "CWE-276", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Router Manager (SRM)", "versions": [{"version": "1.3", "status": "affected", "lessThan": "1.3.1-9346-8", "versionType": "semver"}, {"version": "1.2", "status": "affected", "lessThan": "1.2.5-8227-11", "versionType": "semver"}, {"version": "0", "status": "unknown", "lessThan": "1.2", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_16", "name": "Synology-SA-23:16 SRM (PWN2OWN 2023)", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Tri and Bien Pham (@bienpnn) from Team Orca of Sea Security working with Trend Micro Zero Day Initiative", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-06-28T06:30:10.727Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-01T14:49:31.346987Z", "id": "CVE-2024-39347", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T16:39:01.301Z"}}]}}