Lucene search

WDC PSIRTCVELIST:CVE-2022-22994

HistoryJan 28, 2022 - 7:35 p.m.

CVE-2022-22994 Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.

2022-01-2819:35:05

CWE-345

WDC PSIRT

www.cve.org

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.054 Low

EPSS

Percentile

93.1%

JSON

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

CNA Affected

[
  {
    "product": "My Cloud",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.19.117",
        "status": "affected",
        "version": "My Cloud OS 5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

www.zerodayinitiative.com/advisories/ZDI-22-349/

8.8 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.054 Low

EPSS

Percentile

93.1%

JSON

Related for CVELIST:CVE-2022-22994