A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.
References
Link | Resource |
---|---|
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 | Release Notes Vendor Advisory |
https://www.zerodayinitiative.com/advisories/ZDI-22-349/ | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
AND |
|
History
15 Mar 2022, 16:37
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-349/ - Third Party Advisory, VDB Entry | |
References | (MISC) https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 - Release Notes, Vendor Advisory | |
CWE | CWE-345 |
15 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Feb 2022, 01:47
Type | Values Removed | Values Added |
---|---|---|
First Time |
Westerndigital my Cloud Ex4100
Westerndigital my Cloud Mirror Gen 2 Westerndigital my Cloud Dl2100 Westerndigital my Cloud Ex2 Ultra Westerndigital my Cloud Pr2100 Westerndigital my Cloud Ex2100 Westerndigital my Cloud Dl4100 Westerndigital my Cloud Pr4100 Westerndigital my Cloud Westerndigital my Cloud Os Westerndigital Westerndigital wd Cloud |
|
References | (MISC) https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 - Vendor Advisory | |
CWE | NVD-CWE-noinfo | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CPE | cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:-:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:* |
28 Jan 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-01-28 20:15
Updated : 2023-12-10 14:09
NVD link : CVE-2022-22994
Mitre link : CVE-2022-22994
CVE.ORG link : CVE-2022-22994
JSON object : View
Products Affected
westerndigital
- my_cloud_pr4100
- wd_cloud
- my_cloud_ex4100
- my_cloud_os
- my_cloud_dl2100
- my_cloud
- my_cloud_dl4100
- my_cloud_pr2100
- my_cloud_mirror_gen_2
- my_cloud_ex2_ultra
- my_cloud_ex2100
CWE
CWE-345
Insufficient Verification of Data Authenticity