CVE-2024-50630 - Vulnerability Details - OpenCVE

Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_24_21

History

Wed, 19 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 19 Mar 2025 06:00:00 +0000

Type	Values Removed	Values Added
Description		Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors.
Weaknesses		CWE-306
References		https://www.synology.com/en-global/security/advisory/Synology_SA_24_21
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2025-03-19T05:50:05.059Z

Updated: 2025-03-19T14:41:45.451Z

Reserved: 2024-10-28T02:41:27.550Z

Link: CVE-2024-50630

Vulnrichment

Updated: 2025-03-19T14:41:33.172Z

NVD

Status : Received

Published: 2025-03-19T06:15:15.620

Modified: 2025-03-19T06:15:15.620

Link: CVE-2024-50630

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-50630", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-10-28T02:41:27.550Z", "datePublished": "2025-03-19T05:50:05.059Z", "dateUpdated": "2025-03-19T14:41:45.451Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Drive Server", "versions": [{"version": "*", "status": "affected", "lessThan": "3.0.4-12699", "versionType": "semver"}, {"version": "*", "status": "affected", "lessThan": "3.5.1-26102", "versionType": "semver"}, {"version": "*", "status": "affected", "lessThan": "3.5.0-26085", "versionType": "semver"}, {"version": "*", "status": "affected", "lessThan": "3.2.1-23280", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_21", "name": "Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2025-03-19T05:50:05.059Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-19T14:41:06.009658Z", "id": "CVE-2024-50630", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:41:45.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-50630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-19T14:41:06.009658Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T14:41:33.172Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Synology Drive Server", "versions": [{"status": "affected", "version": "*", "lessThan": "3.0.4-12699", "versionType": "semver"}, {"status": "affected", "version": "*", "lessThan": "3.5.1-26102", "versionType": "semver"}, {"status": "affected", "version": "*", "lessThan": "3.5.0-26085", "versionType": "semver"}, {"status": "affected", "version": "*", "lessThan": "3.2.1-23280", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_21", "name": "Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Missing authentication for critical function vulnerability in the webapi component in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to obtain administrator credentials via unspecified vectors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2025-03-19T05:50:05.059Z"}}}, "cveMetadata": {"cveId": "CVE-2024-50630", "state": "PUBLISHED", "dateUpdated": "2025-03-19T14:41:45.451Z", "dateReserved": "2024-10-28T02:41:27.550Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2025-03-19T05:50:05.059Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}