Synology-SA-17:21 Photo Station

Publish Time: 2017-06-13 00:00:00 UTC+8

Last Updated: 2017-06-13 17:29:00 UTC+8

Severity
Moderate
Status
Resolved

Abstract

CVE-2017-9552 has been found in Photo Station and allows local users to obtain sensitive information of other users.

Severity

Moderate

Affected

  • Products

    • Photo Station
  • Models

    • All Synology NAS models

Description

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline.

The CVSS vector of this vulnerability is triaged as CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N by Synology Security Team.

Mitigation

None

Update Availability

To fix the security issue, go to DSM > Package Center, and update Photo Station to the latest version (6.7.2-3429).

Acknowledgement

Synology would like to thank Frédéric Crozat for reporting this issue.