← Back

CVE-2017-11149

nvd nist
Published: Aug 14, 2017Modified: May 13, 2026

JSON object

Loading...
6.5
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.

Affected (33)

Synology
1 product
Download Station
Configuration A
33 vulnerable
Vulnerable SoftwareAffected Versions
Synology
Download Station
Version 3.2-2295
Download Station
Version 3.3-2382
Download Station
Version 3.3-2383
Download Station
Version 3.3-2386
Download Station
Version 3.4-2477
Download Station
Version 3.4-2478
Download Station
Version 3.4-2480
Download Station
Version 3.4-2485
Download Station
Version 3.4-2486
Download Station
Version 3.4-2489
Download Station
Version 3.4-2490
Download Station
Version 3.4-2514
Download Station
Version 3.4-2555
Download Station
Version 3.4-2557
Download Station
Version 3.4-2558
Download Station
Version 3.5-2638
Download Station
Version 3.5-2705
Download Station
Version 3.5-2706
Download Station
Version 3.5-2955
Download Station
Version 3.5-2956
Download Station
Version 3.5-2962
Download Station
Version 3.5-2963
Download Station
Version 3.5-2967
Download Station
Version 3.5-2968
Download Station
Version 3.5-2970
Download Station
Version 3.5-2973
Download Station
Version 3.5-2980
Download Station
Version 3.5-2982
Download Station
Version 3.8.0-3416
Download Station
Version 3.8.1-3420
Download Station
Version 3.8.2-3455
Download Station
Version 3.8.3-3458
Download Station
Version 3.8.4-3468

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

Source: security@synology.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.