VIR Vulnerability Intelligence Relay

CVE-2017-11149

medium
Published 2017-08-14 · Modified 2026-05-13
CVSS v3
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v2
4.0
VIR risk
6.5

Description

Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@synology.com — https://www.synology.com/en-global/support/security/Synology_SA_17_28_Download_Station

Application impact
VendorProductVersionsFixed
synologydownload_station3.2-2295
synologydownload_station3.3-2382
synologydownload_station3.3-2383
synologydownload_station3.3-2386
synologydownload_station3.4-2477
synologydownload_station3.4-2478
synologydownload_station3.4-2480
synologydownload_station3.4-2485
synologydownload_station3.4-2486
synologydownload_station3.4-2489
synologydownload_station3.4-2490
synologydownload_station3.4-2514
synologydownload_station3.4-2555
synologydownload_station3.4-2557
synologydownload_station3.4-2558
synologydownload_station3.5-2638
synologydownload_station3.5-2705
synologydownload_station3.5-2706
synologydownload_station3.5-2955
synologydownload_station3.5-2956
synologydownload_station3.5-2962
synologydownload_station3.5-2963
synologydownload_station3.5-2967
synologydownload_station3.5-2968
synologydownload_station3.5-2970
synologydownload_station3.5-2973
synologydownload_station3.5-2980
synologydownload_station3.5-2982
synologydownload_station3.8.0-3416
synologydownload_station3.8.1-3420
synologydownload_station3.8.2-3455
synologydownload_station3.8.3-3458
synologydownload_station3.8.4-3468

References

CWEs

CWE-918

Verify integrity in audit chain (admin only). AS-IS.