Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high.
This issue affects My Cloud OS 5 devices: before 5.26.300.
References
Link | Resource |
---|---|
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300 | Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
28 Aug 2023, 14:49
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.7 |
25 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300. |
07 Jul 2023, 23:05
Type | Values Removed | Values Added |
---|---|---|
First Time |
Westerndigital my Cloud Mirror G2
Westerndigital my Cloud Dl2100 Westerndigital my Cloud Pr2100 Westerndigital my Cloud Ex2 Ultra Westerndigital my Cloud Pr4100 Westerndigital wd Cloud Westerndigital my Cloud Dl4100 Westerndigital my Cloud Ex2100 Westerndigital my Cloud Os Westerndigital my Cloud Westerndigital my Cloud Ex4100 Westerndigital |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | (MISC) https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300 - Vendor Advisory | |
CPE | cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:* |
|
CWE | CWE-77 |
30 Jun 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-30 22:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-22815
Mitre link : CVE-2023-22815
CVE.ORG link : CVE-2023-22815
JSON object : View
Products Affected
westerndigital
- my_cloud_dl4100
- my_cloud_ex2100
- my_cloud_mirror_g2
- my_cloud_pr4100
- my_cloud_ex4100
- my_cloud
- wd_cloud
- my_cloud_os
- my_cloud_ex2_ultra
- my_cloud_dl2100
- my_cloud_pr2100
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')