Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2017-11149

Server-Side Request Forgery (SSRF)

Published: Aug 14, 2017 | Modified: Oct 09, 2019
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2017-11149
CWEhttps://cwe.mitre.org/data/definitions/918.html

Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Name Vendor Start Version End Version
Download_station Synology 3.4-2514 3.4-2514
Download_station Synology 3.5-2956 3.5-2956
Download_station Synology 3.4-2485 3.4-2485
Download_station Synology 3.5-2955 3.5-2955
Download_station Synology 3.4-2555 3.4-2555
Download_station Synology 3.5-2982 3.5-2982
Download_station Synology 3.5-2962 3.5-2962
Download_station Synology 3.4-2558 3.4-2558
Download_station Synology 3.5-2706 3.5-2706
Download_station Synology 3.5-2638 3.5-2638
Download_station Synology 3.4-2480 3.4-2480
Download_station Synology 3.5-2705 3.5-2705
Download_station Synology 3.5-2970 3.5-2970
Download_station Synology 3.2-2295 3.2-2295
Download_station Synology 3.8.1-3420 3.8.1-3420
Download_station Synology 3.5-2968 3.5-2968
Download_station Synology 3.8.4-3468 3.8.4-3468
Download_station Synology 3.8.0-3416 3.8.0-3416
Download_station Synology 3.4-2489 3.4-2489
Download_station Synology 3.5-2980 3.5-2980
Download_station Synology 3.8.3-3458 3.8.3-3458
Download_station Synology 3.5-2973 3.5-2973
Download_station Synology 3.4-2490 3.4-2490
Download_station Synology 3.3-2382 3.3-2382
Download_station Synology 3.8.2-3455 3.8.2-3455
Download_station Synology 3.5-2967 3.5-2967
Download_station Synology 3.3-2386 3.3-2386
Download_station Synology 3.5-2963 3.5-2963
Download_station Synology 3.4-2557 3.4-2557
Download_station Synology 3.4-2477 3.4-2477
Download_station Synology 3.3-2383 3.3-2383
Download_station Synology 3.4-2478 3.4-2478
Download_station Synology 3.4-2486 3.4-2486

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use