4.3 CVE-2024-5401

Enriched by CISA
 

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.
https://nvd.nist.gov/vuln/detail/CVE-2024-5401

Categories

CWE-913 : Improper Control of Dynamically-Managed Code Resources
Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Synology DiskStation Manager (DSM)
  • 7.2.2 < 7.2.2-72806 [affected]
  • 7.2.1 < 7.2.1-69057-2 [affected]
  • < 7.2.1 [unknown]
Synology Unified Controller (DSMUC)
  • 3.1 < 3.1.4-23079 [affected]
  • < 3.1 [unknown]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:* >= 7.2.1-69057 < 7.2.1-69057-2
cpe:2.3:o:synology:diskstation_manager:*:*:*:*:*:*:*:* >= 7.2.2-72803 < 7.2.2-72806
cpe:2.3:o:synology:diskstation_manager_unified_controller:*:*:*:*:*:*:*:* >= 3.1-23028 < 3.1.4-23079

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry