CVE-2022-22990
8.8
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD
Description
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.
Affected (1)
Products: Westerndigital: My Cloud Os
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 5.19.117 |
| Running on/with | Platform Versions |
|---|---|
Westerndigital My Cloud | All versions |
Westerndigital My Cloud Dl2100 | All versions |
Westerndigital My Cloud Dl4100 | All versions |
Westerndigital My Cloud Ex2100 | All versions |
Westerndigital My Cloud Ex2 Ultra | All versions |
Westerndigital My Cloud Ex4100 | All versions |
Westerndigital My Cloud Mirror Gen 2 | All versions |
Westerndigital My Cloud Pr2100 | All versions |
Westerndigital My Cloud Pr4100 | All versions |
Westerndigital Wd Cloud | All versions |
Related CWEs
CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-697
Incorrect Comparison
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
References (6)
Source: psirt@wdc.com
Vendor Advisory
Source: psirt@wdc.com
Third Party AdvisoryVDB Entry
Source: psirt@wdc.com
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Timeline
No history available yet.