A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
References
Link | Resource |
---|---|
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 | Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-22-077/ | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Jan 2022, 16:33
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 - Vendor Advisory | |
References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-077/ - Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:* |
|
First Time |
Westerndigital my Cloud Ex4100
Westerndigital my Cloud Mirror Gen 2 Westerndigital my Cloud Dl2100 Westerndigital my Cloud Ex2 Ultra Westerndigital my Cloud Pr2100 Westerndigital my Cloud Ex2100 Westerndigital my Cloud Dl4100 Westerndigital my Cloud Pr4100 Westerndigital my Cloud Westerndigital my Cloud Os Westerndigital Westerndigital wd Cloud |
|
CWE | CWE-77 | |
CVSS |
v2 : v3 : |
v2 : 8.3
v3 : 8.8 |
17 Jan 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Jan 2022, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-13 21:15
Updated : 2023-12-10 14:09
NVD link : CVE-2022-22991
Mitre link : CVE-2022-22991
CVE.ORG link : CVE-2022-22991
JSON object : View
Products Affected
westerndigital
- my_cloud_os
- wd_cloud
- my_cloud_dl2100
- my_cloud_pr4100
- my_cloud_dl4100
- my_cloud_ex2100
- my_cloud_ex2_ultra
- my_cloud
- my_cloud_ex4100
- my_cloud_mirror_gen_2
- my_cloud_pr2100