CVE-2020-27656 - OpenCVE

Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Synology	Diskstation Manager

Configuration 1 [-]

cpe:2.3:a:synology:diskstation_manager:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.synology.com/security/advisory/Synology_SA_20_18
https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071

History

No history.

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2020-10-29T09:00:26.440634Z

Updated: 2024-09-16T17:28:58.260Z

Reserved: 2020-10-22T00:00:00

Link: CVE-2020-27656

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-29T09:15:13.497

Modified: 2020-11-03T21:02:22.117

Link: CVE-2020-27656

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DiskStation Manager (DSM)", "vendor": "Synology", "versions": [{"lessThan": "6.2.3-25426-2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-10-29T00:00:00", "descriptions": [{"lang": "en", "value": "Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-30T00:06:25", "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_18"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@synology.com", "DATE_PUBLIC": "2020-10-29T00:00:00", "ID": "CVE-2020-27656", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DiskStation Manager (DSM)", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "6.2.3-25426-2"}]}}]}, "vendor_name": "Synology"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors."}]}, "impact": {"cvss": {"baseScore": "6.5", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319: Cleartext Transmission of Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://www.synology.com/security/advisory/Synology_SA_20_18", "refsource": "CONFIRM", "url": "https://www.synology.com/security/advisory/Synology_SA_20_18"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:18:45.677Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_18"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071"}]}]}, "cveMetadata": {"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "assignerShortName": "synology", "cveId": "CVE-2020-27656", "datePublished": "2020-10-29T09:00:26.440634Z", "dateReserved": "2020-10-22T00:00:00", "dateUpdated": "2024-09-16T17:28:58.260Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:diskstation_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "64736643-3C6B-4F39-8227-95967BA60AF4", "versionEndExcluding": "6.2.3-25426-2", "versionStartIncluding": "6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors."}, {"lang": "es", "value": "Una vulnerabilidad de transmisi\u00f3n de informaci\u00f3n confidencial en texto sin cifrar en DDNS en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-2, permite a atacantes de tipo man-in-the-middle rastrear una informaci\u00f3n de autenticaci\u00f3n de DNSExit por medio de vectores no especificados"}], "id": "CVE-2020-27656", "lastModified": "2020-11-03T21:02:22.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "security@synology.com", "type": "Secondary"}]}, "published": "2020-10-29T09:15:13.497", "references": [{"source": "security@synology.com", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_18"}, {"source": "security@synology.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1071"}], "sourceIdentifier": "security@synology.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "security@synology.com", "type": "Secondary"}]}