Sign-up

ID

VAR-201708-1061


CVE

CVE-2017-11156


TITLE

Synology Download Station Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-007266

DESCRIPTION

Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. Synology Download Station Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Download Station is a set of web-based download applications from Synology. The program supports protocols such as BT, FTP and HTTP to download files. There is a security vulnerability in Synology Download Station 3.8.x versions before 3.8.5-3475 and 3.x versions before 3.5-2984. The vulnerability is caused by the program assigning weak permissions (0777) to the ui/dlm/btsearch directory

Trust: 1.71

sources: NVD: CVE-2017-11156 // JVNDB: JVNDB-2017-007266 // VULHUB: VHN-101550

AFFECTED PRODUCTS

vendor:synologymodel:download stationscope:eqversion:3.4-2477

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.3-2383

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.2-2295

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.4-2485

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.3-2382

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.4-2478

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.5-2706

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.3-2386

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.5-2955

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.4-2480

Trust: 1.6

vendor:synologymodel:download stationscope:eqversion:3.8.4-3468

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2973

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2638

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2968

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2982

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2962

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.8.3-3458

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2970

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.8.0-3416

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2963

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2558

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2486

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2956

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.8.2-3455

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2557

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2980

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2514

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2967

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2705

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2490

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2555

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.8.1-3420

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.4-2489

Trust: 1.0

vendor:synologymodel:download stationscope:eqversion:3.5-2984

Trust: 0.8

vendor:synologymodel:download stationscope:ltversion:3.x

Trust: 0.8

vendor:synologymodel:download stationscope:eqversion:3.8.5-3475

Trust: 0.8

vendor:synologymodel:download stationscope:ltversion:3.8.x

Trust: 0.8

sources: JVNDB: JVNDB-2017-007266 // CNNVD: CNNVD-201707-377 // NVD: CVE-2017-11156

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-11156
value: HIGH

Trust: 1.0

NVD: CVE-2017-11156
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201707-377
value: HIGH

Trust: 0.6

VULHUB: VHN-101550
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-11156
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-101550
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-11156
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-101550 // JVNDB: JVNDB-2017-007266 // CNNVD: CNNVD-201707-377 // NVD: CVE-2017-11156

PROBLEMTYPE DATA

problemtype:CWE-732

Trust: 1.1

problemtype:CWE-276

Trust: 1.0

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-101550 // JVNDB: JVNDB-2017-007266 // NVD: CVE-2017-11156

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201707-377

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201707-377

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007266

PATCH
title:Synology-SA-17:28 Download Stationurl:https://www.synology.com/en-global/support/security/Synology_SA_17_28_Download_Station
Trust: 0.8
title:Synology Download Station Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99908
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-007266 // 
            
            
            
            CNNVD: CNNVD-201707-377

EXTERNAL IDS
db:NVDid:CVE-2017-11156
Trust: 2.5
db:JVNDBid:JVNDB-2017-007266
Trust: 0.8
db:CNNVDid:CNNVD-201707-377
Trust: 0.7
db:VULHUBid:VHN-101550
Trust: 0.1
sources:
            
            
            VULHUB: VHN-101550 // 
            
            
            
            JVNDB: JVNDB-2017-007266 // 
            
            
            
            CNNVD: CNNVD-201707-377 // 
            
            
            
            NVD: CVE-2017-11156

REFERENCES
url:https://www.synology.com/en-global/support/security/synology_sa_17_28_download_station
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11156
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-11156
Trust: 0.8
sources:
            
            
            VULHUB: VHN-101550 // 
            
            
            
            JVNDB: JVNDB-2017-007266 // 
            
            
            
            CNNVD: CNNVD-201707-377 // 
            
            
            
            NVD: CVE-2017-11156

SOURCES
db:VULHUBid:VHN-101550
db:JVNDBid:JVNDB-2017-007266
db:CNNVDid:CNNVD-201707-377
db:NVDid:CVE-2017-11156

LAST UPDATE DATE
2025-04-20T23:04:31.175000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-101550date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-007266date:2017-09-14T00:00:00
db:CNNVDid:CNNVD-201707-377date:2019-10-17T00:00:00
db:NVDid:CVE-2017-11156date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-101550date:2017-08-14T00:00:00
db:JVNDBid:JVNDB-2017-007266date:2017-09-14T00:00:00
db:CNNVDid:CNNVD-201707-377date:2017-07-11T00:00:00
db:NVDid:CVE-2017-11156date:2017-08-14T19:29:01.147