Lucene search

WDC PSIRTCVELIST:CVE-2022-23000

HistoryJul 25, 2022 - 6:46 p.m.

CVE-2022-23000 Weak Default SSL use in Port Forwarding Service

2022-07-2518:46:02

CWE-757

WDC PSIRT

www.cve.org

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an “SSL” context instead of “TLS” or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

CNA Affected

[
  {
    "platforms": [
      "Linux"
    ],
    "product": "My Cloud",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.23.114",
        "status": "affected",
        "version": "My Cloud OS 5",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

7.9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for CVELIST:CVE-2022-23000