CVE-2022-22684 — OS Command Injection in Synology Diskstation Manager

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGHNVD

CNA7.2

EPSS

1.8%

top 17.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Diskstation Manager

Timeline

PublishedJul 28

Latest updateJul 29

Description

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5synology/diskstation_managerunspecified — 6.2.4-25553

▶NVDsynology/diskstation_manager< 6.2.4-25553

🔴Vulnerability Details

GHSA

GHSA-rq6g-fph9-p9mc: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology Disk↗2022-07-29

▶

CVEList

CVE-2022-22684: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology Disk↗2022-07-28

▶