CVE-2022-22992

Published: Jan 28, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input.

Affected (1)

Products: Westerndigital: My Cloud Os

Westerndigital

1 product

My Cloud Os

Configuration A

1 vulnerable · 10 platform

Vulnerable Software	Affected Versions
Westerndigital My Cloud Os	Before 5.19.117

Running on/with	Platform Versions
Westerndigital My Cloud	All versions
Westerndigital My Cloud Dl2100	All versions
Westerndigital My Cloud Dl4100	All versions
Westerndigital My Cloud Ex2100	All versions
Westerndigital My Cloud Ex2 Ultra	All versions
Westerndigital My Cloud Ex4100	All versions
Westerndigital My Cloud Mirror Gen 2	All versions
Westerndigital My Cloud Pr2100	All versions
Westerndigital My Cloud Pr4100	All versions
Westerndigital Wd Cloud	All versions

Related CWEs

CWE-116

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (2)

https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

Source: psirt@wdc.com

Vendor Advisory

https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.