CVE-2024-10442 | Off-by-one error vulnerability in the transmission component… | CVSS 10.0 CRITICAL

Description

Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.

Metadata

CVE ID: CVE-2024-10442
State: PUBLISHED
Assigner: synology
Reserved: 2024-10-28 02:29 UTC
Published: 2025-03-19 02:14 UTC
Last updated: 2025-03-19 14:13 UTC
Primary CWE: CWE-193
Off-by-one Error
Vendor / Product: Synology / Unified Controller (DSMUC)
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (2)

Vendor	Product	Platform	Versions
Synology	Replication Service	—	* < 1.2.2-0353, * < 1.0.12-0066, * < 1.3.0-0423
Synology	Unified Controller (DSMUC)	—	3.1 < 3.1.4-23079, 0 < 3.1

Weakness (CWE)

CWE	Source	Description
CWE-193	cna	Off-by-one Error

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

Synology-SA-24:22 Replication Service (PWN2OWN 2024) https://www.synology.com/en-global/security/advisory/Synology_SA_24_22