cvelistv5 - CVE-2024-11398

CVE-2024-11398 (GCVE-0-2024-11398)

Vulnerability from cvelistv5

Published

2024-12-04 06:59

Modified

2024-12-04 14:09

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Summary

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.

References

URL

Tags

security@synology.com

https://www.synology.com/en-global/security/advisory/Synology_SA_24_03

Vendor Advisory

Impacted products

	Vendor	Product	Version
	Synology	Synology Router Manager (SRM)	Version: 1.3 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-11398",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-04T14:05:22.866234Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-04T14:09:11.756Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Synology Router Manager (SRM)",
          "vendor": "Synology",
          "versions": [
            {
              "lessThan": "1.3.1-9346-9",
              "status": "affected",
              "version": "1.3",
              "versionType": "semver"
            },
            {
              "lessThan": "1.3",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE Research Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-04T06:59:56.673Z",
        "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "shortName": "synology"
      },
      "references": [
        {
          "name": "Synology-SA-24:03 SRM",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_03"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
    "assignerShortName": "synology",
    "cveId": "CVE-2024-11398",
    "datePublished": "2024-12-04T06:59:56.673Z",
    "dateReserved": "2024-11-19T03:51:29.578Z",
    "dateUpdated": "2024-12-04T14:09:11.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-11398\",\"sourceIdentifier\":\"security@synology.com\",\"published\":\"2024-12-04T07:15:05.983\",\"lastModified\":\"2025-07-29T19:42:50.477\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.\"},{\"lang\":\"es\",\"value\":\" La vulnerabilidad de limitaci\u00f3n incorrecta de una ruta de acceso a un directorio restringido (\u0027Path Traversal\u0027) en la funcionalidad de restablecimiento de OTP en Synology Router Manager (SRM) anterior a 1.3.1-9346-9 permite a usuarios remotos autenticados eliminar archivos arbitrarios a trav\u00e9s de vectores no especificados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@synology.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security@synology.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3\",\"versionEndExcluding\":\"1.3.1-9346\",\"matchCriteriaId\":\"F8046DA6-36F6-4155-8594-8E7057396BFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"1516A124-FB02-4ADA-BCB6-27F0F1170A11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"BD983E13-D56A-4E76-9689-0F1AE99CEC7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C642E1B-1E10-444E-9243-7A7E8ECBD17D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7544B4B-5BB7-4D58-8943-98DACC17E5F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A7269FD-9F1D-4CA3-A8F6-3A13C967FBD7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"52005D46-FFB0-44DF-9583-7EB436F2CDF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E50F7D87-1D71-4AA7-A6C8-B15744521D23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFE129E2-9243-4DB3-9D2F-9E0F886ECCC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:synology:router_manager:1.3.1-9346:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"185CD5A8-1115-40AF-91DD-E0065E1ACD7A\"}]}]}],\"references\":[{\"url\":\"https://www.synology.com/en-global/security/advisory/Synology_SA_24_03\",\"source\":\"security@synology.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-11398\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-04T14:05:22.866234Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-04T14:05:25.399Z\"}}], \"cna\": {\"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Orange Tsai (@orange_8361) from DEVCORE Research Team\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Synology\", \"product\": \"Synology Router Manager (SRM)\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3\", \"lessThan\": \"1.3.1-9346-9\", \"versionType\": \"semver\"}, {\"status\": \"unknown\", \"version\": \"0\", \"lessThan\": \"1.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.synology.com/en-global/security/advisory/Synology_SA_24_03\", \"name\": \"Synology-SA-24:03 SRM\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"db201096-a0cc-46c7-9a55-61d9e221bf01\", \"shortName\": \"synology\", \"dateUpdated\": \"2024-12-04T06:59:56.673Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-11398\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-04T14:09:11.756Z\", \"dateReserved\": \"2024-11-19T03:51:29.578Z\", \"assignerOrgId\": \"db201096-a0cc-46c7-9a55-61d9e221bf01\", \"datePublished\": \"2024-12-04T06:59:56.673Z\", \"assignerShortName\": \"synology\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

wid-sec-w-2024-3603

Vulnerability from csaf_certbund

Published

2024-12-03 23:00

Modified

2024-12-03 23:00

Summary

Synology Router Manager: Schwachstelle ermöglicht Manipulation von Dateien

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Synology Router Manager (SRM) ist das Betriebssystem, mit dem jeder Synology Router betrieben wird.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology Router Manager ausnutzen, um Dateien zu manipulieren.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Synology Router Manager (SRM) ist das Betriebssystem, mit dem jeder Synology Router betrieben wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology Router Manager ausnutzen, um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3603 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3603.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3603 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3603"
      },
      {
        "category": "external",
        "summary": "Synology Security Advisory vom 2024-12-03",
        "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_03"
      }
    ],
    "source_lang": "en-US",
    "title": "Synology Router Manager: Schwachstelle erm\u00f6glicht Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2024-12-03T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-04T12:16:07.121+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3603",
      "initial_release_date": "2024-12-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.3.1-9346-9",
                "product": {
                  "name": "Synology Router Manager \u003c1.3.1-9346-9",
                  "product_id": "T039568"
                }
              },
              {
                "category": "product_version",
                "name": "1.3.1-9346-9",
                "product": {
                  "name": "Synology Router Manager 1.3.1-9346-9",
                  "product_id": "T039568-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:synology:synology_router_manager:1.3.1-9346-9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Router Manager"
          }
        ],
        "category": "vendor",
        "name": "Synology"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-11398",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle im Synology Router Manager. Diese Schwachstelle betrifft die OTP-Reset-Funktionalit\u00e4t aufgrund eines Path-Traversal-Problems. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebige Dateien \u00fcber nicht spezifizierte Vektoren zu l\u00f6schen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039568"
        ]
      },
      "release_date": "2024-12-03T23:00:00.000+00:00",
      "title": "CVE-2024-11398"
    }
  ]
}

WID-SEC-W-2024-3603

Vulnerability from csaf_certbund

Published

2024-12-03 23:00

Modified

2024-12-03 23:00

Summary

Synology Router Manager: Schwachstelle ermöglicht Manipulation von Dateien

Notes

Produktbeschreibung

Der Synology Router Manager (SRM) ist das Betriebssystem, mit dem jeder Synology Router betrieben wird.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology Router Manager ausnutzen, um Dateien zu manipulieren.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Synology Router Manager (SRM) ist das Betriebssystem, mit dem jeder Synology Router betrieben wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Synology Router Manager ausnutzen, um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3603 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3603.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3603 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3603"
      },
      {
        "category": "external",
        "summary": "Synology Security Advisory vom 2024-12-03",
        "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_03"
      }
    ],
    "source_lang": "en-US",
    "title": "Synology Router Manager: Schwachstelle erm\u00f6glicht Manipulation von Dateien",
    "tracking": {
      "current_release_date": "2024-12-03T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-04T12:16:07.121+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3603",
      "initial_release_date": "2024-12-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.3.1-9346-9",
                "product": {
                  "name": "Synology Router Manager \u003c1.3.1-9346-9",
                  "product_id": "T039568"
                }
              },
              {
                "category": "product_version",
                "name": "1.3.1-9346-9",
                "product": {
                  "name": "Synology Router Manager 1.3.1-9346-9",
                  "product_id": "T039568-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:synology:synology_router_manager:1.3.1-9346-9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Router Manager"
          }
        ],
        "category": "vendor",
        "name": "Synology"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-11398",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle im Synology Router Manager. Diese Schwachstelle betrifft die OTP-Reset-Funktionalit\u00e4t aufgrund eines Path-Traversal-Problems. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebige Dateien \u00fcber nicht spezifizierte Vektoren zu l\u00f6schen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039568"
        ]
      },
      "release_date": "2024-12-03T23:00:00.000+00:00",
      "title": "CVE-2024-11398"
    }
  ]
}

fkie_cve-2024-11398

Vulnerability from fkie_nvd

Published

2024-12-04 07:15

Modified

2025-07-29 19:42

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Summary

References

	URL	Tags
	security@synology.com	https://www.synology.com/en-global/security/advisory/Synology_SA_24_03	Vendor Advisory

Impacted products

Vendor	Product	Version
synology	router_manager	*
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346
synology	router_manager	1.3.1-9346

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:synology:router_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8046DA6-36F6-4155-8594-8E7057396BFB",
              "versionEndExcluding": "1.3.1-9346",
              "versionStartIncluding": "1.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:-:*:*:*:*:*:*",
              "matchCriteriaId": "1516A124-FB02-4ADA-BCB6-27F0F1170A11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update1:*:*:*:*:*:*",
              "matchCriteriaId": "BD983E13-D56A-4E76-9689-0F1AE99CEC7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update2:*:*:*:*:*:*",
              "matchCriteriaId": "7C642E1B-1E10-444E-9243-7A7E8ECBD17D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update3:*:*:*:*:*:*",
              "matchCriteriaId": "B7544B4B-5BB7-4D58-8943-98DACC17E5F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update4:*:*:*:*:*:*",
              "matchCriteriaId": "5A7269FD-9F1D-4CA3-A8F6-3A13C967FBD7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update5:*:*:*:*:*:*",
              "matchCriteriaId": "52005D46-FFB0-44DF-9583-7EB436F2CDF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update6:*:*:*:*:*:*",
              "matchCriteriaId": "E50F7D87-1D71-4AA7-A6C8-B15744521D23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update7:*:*:*:*:*:*",
              "matchCriteriaId": "CFE129E2-9243-4DB3-9D2F-9E0F886ECCC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:router_manager:1.3.1-9346:update8:*:*:*:*:*:*",
              "matchCriteriaId": "185CD5A8-1115-40AF-91DD-E0065E1ACD7A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors."
    },
    {
      "lang": "es",
      "value": " La vulnerabilidad de limitaci\u00f3n incorrecta de una ruta de acceso a un directorio restringido (\u0027Path Traversal\u0027) en la funcionalidad de restablecimiento de OTP en Synology Router Manager (SRM) anterior a 1.3.1-9346-9 permite a usuarios remotos autenticados eliminar archivos arbitrarios a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2024-11398",
  "lastModified": "2025-07-29T19:42:50.477",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security@synology.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-04T07:15:05.983",
  "references": [
    {
      "source": "security@synology.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_03"
    }
  ],
  "sourceIdentifier": "security@synology.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security@synology.com",
      "type": "Primary"
    }
  ]
}

ghsa-79vx-rgpq-6669

Vulnerability from github

Published

2024-12-04 12:31

Modified

2024-12-04 12:31

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-11398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T07:15:05Z",
    "severity": "HIGH"
  },
  "details": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.",
  "id": "GHSA-79vx-rgpq-6669",
  "modified": "2024-12-04T12:31:44Z",
  "published": "2024-12-04T12:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11398"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-11398 (GCVE-0-2024-11398)

Vulnerability from cvelistv5

wid-sec-w-2024-3603

Vulnerability from csaf_certbund

WID-SEC-W-2024-3603

Vulnerability from csaf_certbund

fkie_cve-2024-11398

Vulnerability from fkie_nvd

ghsa-79vx-rgpq-6669

Vulnerability from github

Tags

Sightings

Nomenclature