← Back

CVE-2019-9950

nvd nist
Published: Apr 24, 2019Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials against /etc/shadow. However, the "nobody" account (which can be used to access the control panel API as a low-privilege logged-in user) has a default empty password, allowing an attacker to modify the My Cloud EX2 Ultra web page source code and obtain access to the My Cloud as a non-Admin My Cloud device user.

Affected (9)

Westerndigital
9 products
My Cloud Firmware
My Cloud Mirror Gen2 Firmware
My Cloud Ex2 Ultra Firmware
My Cloud Ex2100 Firmware
My Cloud Ex4100 Firmware
My Cloud Dl2100 Firmware
My Cloud Dl4100 Firmware
My Cloud Pr2100 Firmware
My Cloud Pr4100 Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Mirror Gen2 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Mirror Gen2
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Ex2 Ultra Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Ex2 Ultra
All versions
Configuration D
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Ex2100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Ex2100
All versions
Configuration E
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Ex4100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Ex4100
All versions
Configuration F
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Dl2100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Dl2100
All versions
Configuration G
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Dl4100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Dl4100
All versions
Configuration H
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Pr2100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Pr2100
All versions
Configuration I
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
My Cloud Pr4100 Firmware
Before 2.31.174
Running on/withPlatform Versions
Westerndigital
My Cloud Pr4100
All versions

Related CWEs

CWE-521
Weak Password Requirements
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

References (8)

Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.