A vulnerability was found in Synology Router Manager up to 1.1.7 (Router Operating System). It has been declared as problematic. This vulnerability affects the function SYNO.Core.ACL. The manipulation of the argument file_path as part of a Parameter leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:

Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.

The weakness was presented 04/01/2019 (Website). The advisory is available at synology.com. This vulnerability was named CVE-2018-13290 since 07/05/2018. The attack can be initiated remotely. The successful exploitation needs a single authentication. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

Upgrading to version 1.1.7-6941-2 eliminates this vulnerability.

See 132657 and 132660 for similar entries.

Productinfo

Type

• Router Operating System

Vendor

• Synology

Name

• Router Manager

Version

• 1.1.0
• 1.1.1
• 1.1.2
• 1.1.3
• 1.1.4
• 1.1.5
• 1.1.6
• 1.1.7

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion