CVE-2023-2909

Published: May 31, 2023Modified: Nov 21, 2024

10.0

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 6.0

Source: NVD

Description

EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.

Affected (3)

Products: Asustor: Adm

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Asustor Adm	From 4.0.0 to 4.0.6.reg2
Asustor Adm	From 4.1.0 to 4.1.0rlq1
Asustor Adm	From 4.2.0 to 4.2.1.rge2

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (2)

https://www.asustor.com/security/security_advisory_detail?id=25

Source: security@asustor.com

Vendor Advisory

https://www.asustor.com/security/security_advisory_detail?id=25

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.