Lucene search

WDC PSIRTCVELIST:CVE-2022-22993

HistoryJan 28, 2022 - 7:09 p.m.

CVE-2022-22993 Limited Server-Side Request Forgery vulnerability on Western Digital My Cloud devices.

2022-01-2819:09:29

CWE-918

WDC PSIRT

www.cve.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.9%

JSON

A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.

CNA Affected

[
  {
    "product": "My Cloud",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.19.117",
        "status": "affected",
        "version": "My Cloud OS 5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

www.zerodayinitiative.com/advisories/ZDI-22-348/

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.9%

JSON

Related for CVELIST:CVE-2022-22993