Synology Active Backup for Business Path Traversal Vulnerability Allowing File Read by Admins

A path traversal vulnerability has been identified in Synology Active Backup for Business versions prior to 2.7.1-13234, 2.7.1-23234, and 2.7.1-3234. This vulnerability allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information through improper limitation of pathnames to restricted directories. The issue arises in the share file list functionality and can be exploited via unspecified vectors.

Impact

Exploitation of this vulnerability allows for unauthorized file reading, potentially leading to information disclosure.

Remediation

Users can upgrade to Active Backup for Business version 2.7.1-13234 or above for DSM 7.1, 2.7.1-23234 or above for DSM 7.2, and 2.7.1-3234 or above for DSM 6.2.