弊社のウェブページの改善のためにクッキーを使用しています。弊社のクッキーポリシーをお読みください。

ASUSTOR セキュリティ アドバイザリ

AS-2023-012: ADM

2023-11-29

Severity

Important

Status

Resolved

Statement

An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

  • The issue has been fixed on ADM 4.2.3.RK91 and ADM 4.0.6.RNS1.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to ADM 4.2.3.RK91 or above.
ADM 4.0 Important Upgrade to ADM 4.0.6.RNS1 or above.

Detail

  • CVE-2023-4475
    • Severity: High
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
    • An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Acknowledgement

Stéphane Chauveau (stephane@chauveau-central.net)


Revision

Revision Date Description
1 2023-08-23 Initial public release.
2 2023-08-23 CVE ID (CVE-2023-4475) is assigned for the issue.
3 2023-08-23 ADM 4.2.3.RK91 has been released for fixing the issue.
4 2023-11-29 ADM 4.0.6.RNS1 has been released for fixing the issue.