弊社のウェブページの改善のためにクッキーを使用しています。弊社のクッキーポリシーをお読みください。

AS-2023-010: ADM

2023-11-29

Severity

Important

Status

Resolved


Statement

A Directory traversal vulnerability was found in ASUSTOR Data Master (ADM) allows an remote unauthorized users to navigate beyond the intended directory structure. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issues had been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to ADM 4.2.3.RK91 or above.
ADM 4.0 Important Upgrade to ADM 4.0.6.RNS1 or above.

Detail

  • CVE-2023-3697
    • Severity: High
    • CVSS3 Base Score: 8.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
  • CVE-2023-3698
    • Severity: High
    • CVSS3 Base Score: 8.5
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
    • Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement

atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security


Revision

Revision Date Description
1 2023-08-23 Initial public release.
2 2023-08-23 CVE ID CVE-2023-3697 and CVE-2023-3698 are assigned for the issues.
3 2023-08-23 ADM 4.2.3.RK91 has been released for fixing the issues.
4 2023-11-29 ADM 4.0.6.RNS1 has been released for fixing the issues.