CVE-2024-39348 - OpenCVE

Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

References

No reference.

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: synology

Published: 2024-06-28T06:30:57.973Z

Updated: 2024-06-28T13:39:34.938Z

Reserved: 2024-06-24T10:57:17.891Z

Link: CVE-2024-39348

JSON object: View

NVD Information

No data.

Redhat Information

No data.

CWE

CWE-494

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39348", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-06-24T10:57:17.891Z", "datePublished": "2024-06-28T06:30:57.973Z", "dateUpdated": "2024-06-28T13:39:34.938Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "cweId": "CWE-494", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Router Manager (SRM)", "versions": [{"version": "1.3", "status": "affected", "lessThan": "1.3.1-9346-8", "versionType": "semver"}, {"version": "1.2", "status": "affected", "lessThan": "1.2.5-8227-11", "versionType": "semver"}, {"version": "0", "status": "unknown", "lessThan": "1.2", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_16", "name": "Synology-SA-23:16 SRM (PWN2OWN 2023)", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Tomer Goldschmidt and Sharon Brizinov of Claroty Research - Team82", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-06-28T06:30:57.973Z"}}, "adp": [{"affected": [{"vendor": "synology", "product": "router_manager", "cpes": ["cpe:2.3:a:synology:router_manager:1.3:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.3", "status": "affected", "lessThan": "1.3.1-9346-8", "versionType": "custom"}]}, {"vendor": "synology", "product": "router_manager", "cpes": ["cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.2", "status": "affected", "lessThan": "1.2.5-8227-11", "versionType": "custom"}]}, {"vendor": "synology", "product": "router_manager", "cpes": ["cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T13:33:32.527252Z", "id": "CVE-2024-39348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T13:39:34.938Z"}}]}}