CVE-2024-29239 - Vulnerability Details - OpenCVE

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Synology	Diskstation Manager Surveillance Station

Configuration 1 [-]

AND

cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*

cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:synology:diskstation_manager:7.1:::::::*
	cpe:2.3:o:synology:diskstation_manager:7.2:::::::*

No data.

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_24_04

History

Tue, 14 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synology Synology diskstation Manager Synology surveillance Station
CPEs		cpe:2.3:a:synology:surveillance_station:::::::: cpe:2.3:o:synology:diskstation_manager:6.2:::::::* cpe:2.3:o:synology:diskstation_manager:7.1:::::::* cpe:2.3:o:synology:diskstation_manager:7.2:::::::*
Vendors & Products		Synology Synology diskstation Manager Synology surveillance Station

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2024-03-28T06:28:31.235Z

Updated: 2024-08-02T01:10:54.544Z

Reserved: 2024-03-19T06:14:19.316Z

Link: CVE-2024-29239

Vulnrichment

Updated: 2024-08-02T01:10:54.544Z

NVD

Status : Analyzed

Published: 2024-03-28T07:16:10.293

Modified: 2025-01-14T20:24:50.210

Link: CVE-2024-29239

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29239", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-03-19T06:14:19.316Z", "datePublished": "2024-03-28T06:28:31.235Z", "dateUpdated": "2024-08-02T01:10:54.544Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Surveillance Station", "versions": [{"version": "*", "status": "affected", "lessThan": "9.2.0-11289", "versionType": "semver"}, {"version": "*", "status": "affected", "lessThan": "9.2.0-9289", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04", "name": "Synology-SA-24:04 Surveillance Station", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-03-28T06:28:31.235Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T14:47:15.901229Z", "id": "CVE-2024-29239", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T14:47:22.503Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.544Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04", "name": "Synology-SA-24:04 Surveillance Station", "tags": ["vendor-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04", "name": "Synology-SA-24:04 Surveillance Station", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.544Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29239", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-17T14:47:15.901229Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T14:47:19.695Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Surveillance Station", "versions": [{"status": "affected", "version": "*", "lessThan": "9.2.0-11289", "versionType": "semver"}, {"status": "affected", "version": "*", "lessThan": "9.2.0-9289", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04", "name": "Synology-SA-24:04 Surveillance Station", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-03-28T06:28:31.235Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29239", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:10:54.544Z", "dateReserved": "2024-03-19T06:14:19.316Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2024-03-28T06:28:31.235Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E", "versionEndExcluding": "9.2.0-9289", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9", "versionEndExcluding": "9.2.0-11289", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*", "matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890", "vulnerable": false}, {"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi Recording.CountByCategory en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."}], "id": "CVE-2024-29239", "lastModified": "2025-01-14T20:24:50.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@synology.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-28T07:16:10.293", "references": [{"source": "security@synology.com", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"}], "sourceIdentifier": "security@synology.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@synology.com", "type": "Secondary"}]}