OpenCVE

Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Synology	Drive Client

Configuration 1 [-]

cpe:2.3:a:synology:drive_client:*:*:*:*:*:desktop:*:*

No data.

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_24_10

History

Tue, 08 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synology Synology drive Client
CPEs		cpe:2.3:a:synology:drive_client::::::desktop::*
Vendors & Products		Synology Synology drive Client

Thu, 26 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Sep 2024 03:45:00 +0000

Type	Values Removed	Values Added
Description		Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors.
Weaknesses		CWE-532
References		https://www.synology.com/en-global/security/advisory/Synology_SA_24_10
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2024-09-26T03:32:31.301Z

Updated: 2024-09-26T14:52:35.431Z

Reserved: 2024-09-24T08:40:22.263Z

Link: CVE-2022-49037

Vulnrichment

Updated: 2024-09-26T14:52:31.295Z

NVD

Status : Analyzed

Published: 2024-09-26T04:15:03.770

Modified: 2024-10-08T16:08:55.390

Link: CVE-2022-49037

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49037", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-09-24T08:40:22.263Z", "datePublished": "2024-09-26T03:32:31.301Z", "dateUpdated": "2024-09-26T14:52:35.431Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "cweId": "CWE-532", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Drive Client", "versions": [{"version": "*", "status": "affected", "lessThan": "3.5.0-16084", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_10", "name": "Synology-SA-24:10 Synology Drive Client", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Zhao Runzi (\u8d75\u6da6\u6893)", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-09-26T03:32:31.301Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T14:52:23.468744Z", "id": "CVE-2022-49037", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T14:52:35.431Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-49037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-26T14:52:23.468744Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T14:52:31.295Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Zhao Runzi (\u8d75\u6da6\u6893)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Synology Drive Client", "versions": [{"status": "affected", "version": "*", "lessThan": "3.5.0-16084", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_10", "name": "Synology-SA-24:10 Synology Drive Client", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-09-26T03:32:31.301Z"}}}, "cveMetadata": {"cveId": "CVE-2022-49037", "state": "PUBLISHED", "dateUpdated": "2024-09-26T14:52:35.431Z", "dateReserved": "2024-09-24T08:40:22.263Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2024-09-26T03:32:31.301Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:drive_client:*:*:*:*:*:desktop:*:*", "matchCriteriaId": "25A1D284-49F9-4F67-B9A3-6451803B1B36", "versionEndExcluding": "3.3.0-15082", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors."}, {"lang": "es", "value": "La vulnerabilidad de inserci\u00f3n de informaci\u00f3n confidencial en el archivo de registro en el componente de configuraci\u00f3n de proxy en Synology Drive Client anterior a 3.3.0-15082 permite que usuarios remotos autenticados obtengan informaci\u00f3n confidencial a trav\u00e9s de vectores no especificados."}], "id": "CVE-2022-49037", "lastModified": "2024-10-08T16:08:55.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@synology.com", "type": "Secondary"}]}, "published": "2024-09-26T04:15:03.770", "references": [{"source": "security@synology.com", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_10"}], "sourceIdentifier": "security@synology.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@synology.com", "type": "Primary"}]}