CVE-2022-27613

Vulnerability

An SQL injection vulnerability exists in the webapi component of Synology CardDAV Server versions before 6.0.10-0153. The vulnerability stems from improper neutralization of special elements used in an SQL command. This affects CardDAV Server for DSM 6.2. The vendor advisory rates this as Important with a CVSSv3.1 base score of 8.3 [1].

Exploitation

An attacker must have network access and valid low-privilege credentials to authenticate to the CardDAV Server. The specific attack vector is via the webapi component, though the exact inputs or parameters are not disclosed in the available references. No user interaction beyond authentication is required, and the attack complexity is low [1].

Impact

Successful exploitation allows a remote authenticated attacker to execute arbitrary SQL commands. This could lead to reading or modifying sensitive data (confidentiality and integrity impact: High) and potentially cause limited availability impact (Low) [1]. The attacker gains the ability to manipulate the underlying database, potentially affecting the CardDAV service and stored contact data.

Mitigation

Synology released the fix in CardDAV Server version 6.0.10-0153. Users should upgrade to this version or later. No workarounds are provided in the advisory [1]. The vulnerability was disclosed on 2022-07-28, with an initial advisory revision dated 2021-02-23 [1].