CVE-2023-22815
6.7
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Exploitability: 1.2 / Impact: 5.5
Source: NVD
Description
Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high.
This issue affects My Cloud OS 5 devices: before 5.26.300.
Affected (1)
Products: Westerndigital: My Cloud Os
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 5.26.300 |
| Running on/with | Platform Versions |
|---|---|
Westerndigital My Cloud | All versions |
Westerndigital My Cloud Dl2100 | All versions |
Westerndigital My Cloud Dl4100 | All versions |
Westerndigital My Cloud Ex2100 | All versions |
Westerndigital My Cloud Ex2 Ultra | All versions |
Westerndigital My Cloud Ex4100 | All versions |
Westerndigital My Cloud Mirror G2 | All versions |
Westerndigital My Cloud Pr2100 | All versions |
Westerndigital My Cloud Pr4100 | All versions |
Westerndigital Wd Cloud | All versions |
Related CWEs
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
References (2)
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300
Source: psirt@wdc.com
Vendor Advisory
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.