OpenCVE

A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_23_15

History

No history.

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2024-06-28T06:01:58.733Z

Updated: 2024-08-02T21:16:43.691Z

Reserved: 2023-11-10T07:59:45.608Z

Link: CVE-2023-47802

Vulnrichment

Updated: 2024-08-02T21:16:43.691Z

NVD

Status : Awaiting Analysis

Published: 2024-06-28T06:15:03.220

Modified: 2024-11-21T08:30:50.053

Link: CVE-2023-47802

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47802", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2023-11-10T07:59:45.608Z", "datePublished": "2024-06-28T06:01:58.733Z", "dateUpdated": "2024-08-02T21:16:43.691Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "cweId": "CWE-78", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Camera Firmware", "versions": [{"version": "1.0", "status": "affected", "lessThan": "1.0.7-0298", "versionType": "semver"}], "defaultStatus": "affected", "platforms": ["BC500", "TC500"]}], "descriptions": [{"lang": "en", "value": "A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "name": "Synology-SA-23:15 Synology Camera (PWN2OWN 2023)", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Jaehoon Jang, Wonbeen Im, STEALIEN(https://stealien.com)", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-06-28T06:01:58.733Z"}}, "adp": [{"affected": [{"vendor": "synology", "product": "camera_firmware", "cpes": ["cpe:2.3:a:synology:camera_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0", "status": "affected", "lessThan": "1.0.7-0298", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T19:15:52.993070Z", "id": "CVE-2023-47802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T17:25:07.479Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:16:43.691Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "name": "Synology-SA-23:15 Synology Camera (PWN2OWN 2023)", "tags": ["vendor-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "name": "Synology-SA-23:15 Synology Camera (PWN2OWN 2023)", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:16:43.691Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-47802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-28T19:15:52.993070Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:synology:camera_firmware:*:*:*:*:*:*:*:*"], "vendor": "synology", "product": "camera_firmware", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.0.7-0298", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T16:19:26.689Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Jaehoon Jang, Wonbeen Im, STEALIEN(https://stealien.com)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Camera Firmware", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.0.7-0298", "versionType": "semver"}], "platforms": ["BC500", "TC500"], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15", "name": "Synology-SA-23:15 Synology Camera (PWN2OWN 2023)", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-06-28T06:01:58.733Z"}}}, "cveMetadata": {"cveId": "CVE-2023-47802", "state": "PUBLISHED", "dateUpdated": "2024-08-02T21:16:43.691Z", "dateReserved": "2023-11-10T07:59:45.608Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2024-06-28T06:01:58.733Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}