Lucene search

WDC PSIRTCVELIST:CVE-2022-22990

HistoryJan 13, 2022 - 8:27 p.m.

CVE-2022-22990 Limited authentication bypass vulnerability on Western Digital My Cloud devices

2022-01-1320:27:26

CWE-287

WDC PSIRT

www.cve.org

vulnerability

western digital

my cloud

access token validation

remote code execution

privilege escalation

php scripts

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.9

Confidence

High

EPSS

0.077

Percentile

94.3%

JSON

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

CNA Affected

[
  {
    "product": "My Cloud",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.19.117",
        "status": "affected",
        "version": "My Cloud OS 5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

www.zerodayinitiative.com/advisories/ZDI-22-076/

www.zerodayinitiative.com/advisories/ZDI-22-347/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.9

Confidence

High

EPSS

0.077

Percentile

94.3%

JSON

Related for CVELIST:CVE-2022-22990