Plataforma
synology
Componente
synology-photo-station
Corrigido em
6.8.14-3500
CVE-2021-29089 describes a critical SQL Injection vulnerability affecting Synology Photo Station versions up to 6.8.14-3500. This flaw allows remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access and system control. Synology has released a patch in version 6.8.14-3500 to address this vulnerability, and users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in Synology Photo Station poses a significant threat. An attacker could leverage this flaw to bypass authentication mechanisms and directly manipulate the database. This could result in the unauthorized extraction of sensitive user data, including usernames, passwords, and stored media files. Furthermore, successful exploitation could allow an attacker to gain control of the Photo Station server, potentially leading to broader network compromise and lateral movement within the organization. The impact is particularly severe given the potential for data exfiltration and system takeover.
CVE-2021-29089 was publicly disclosed on June 2, 2021. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the critical severity and ease of exploitation make it a potential target. The vulnerability's impact is similar to other SQL Injection flaws, where attackers can gain unauthorized access to sensitive data and system resources. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Organizations and individuals utilizing Synology Photo Station, particularly those with older versions (≤6.8.14-3500), are at risk. Shared hosting environments where multiple users share a Photo Station instance are especially vulnerable, as a compromise of one user's account could potentially expose data for all users on the server.
• synology / server:
journalctl -u photo-station | grep -i "SQL injection"• synology / server:
lsof -i :5000 | grep -i "photo-station"• generic web:
curl -I https://<photo-station-ip>/photo/download.php?file=../../../../etc/passwd | head -n 1disclosure
patch
Status do Exploit
EPSS
0.82% (percentil 74%)
Vetor CVSS
The primary mitigation for CVE-2021-29089 is to upgrade Synology Photo Station to version 6.8.14-3500 or later. If immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While a direct WAF rule targeting SQL Injection attempts is recommended, the complexity of the vulnerability may require a more sophisticated rule set. Monitor Photo Station logs for unusual SQL queries or database activity. After upgrading, confirm the fix by attempting a SQL Injection payload through the thumbnail component and verifying that it is properly sanitized.
Actualice Synology Photo Station a la versión 6.8.14-3500 o posterior. Esta actualización corrige la vulnerabilidad de inyección SQL en el componente de miniaturas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2021-29089 is a critical SQL Injection vulnerability in Synology Photo Station versions up to 6.8.14-3500, allowing attackers to execute arbitrary SQL commands.
You are affected if you are running Synology Photo Station version 6.8.14-3500 or earlier. Upgrade to the latest version immediately.
Upgrade Synology Photo Station to version 6.8.14-3500 or later. If immediate upgrade is not possible, implement temporary workarounds like enhanced log monitoring.
While no confirmed active campaigns are publicly known, the vulnerability's severity makes it a potential target for exploitation.
Refer to the official Synology Security Advisory: https://www.synology.com/en-global/security/advisory/CVE-2021-29089
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.