CVE-2021-31439

HIGH

Synology Diskstation Manager < 6.2.3-25426-3 - Out-of-Bounds Write

Title source: rule

Description

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html

Third Party Advisory vendor-advisory

https://www.debian.org/security/2023/dsa-5503

Issue Tracking, Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202311-02

Vendor Advisory

https://www.synology.com/zh-hk/security/advisory/Synology_SA_20_26

Third Party Advisory, VDB Entry

https://www.zerodayinitiative.com/advisories/ZDI-21-492/

Scores

CVSS v3 8.8

EPSS 0.0103

EPSS Percentile 77.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-122 CWE-787

Status published

Products (4)

debian/debian_linux 10.0

debian/debian_linux 11.0

netatalk/netatalk < 3.1.13

synology/diskstation_manager 6.2 - 6.2.3-25426-3

Published May 21, 2021

Tracked Since Feb 18, 2026