CVE-2022-22994

Опубликовано: 28 янв. 2022

Источник: nvd

CVSS3: 8.8

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

Ссылки

https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117
Release Notes
Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-349/
Third Party Advisory
VDB Entry
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117
Release Notes
Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-349/
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:*

Версия до 5.19.117 (исключая)

Одно из

cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:-:*:*:*

cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*

cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00796

Низкий

8.8 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-345

Связанные уязвимости

GHSA-q8m2-mp4h-vhmc

CVSS3: 9.8

github

около 4 лет назад

EPSS

Процентиль: 74%

0.00796

Низкий

8.8 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-345