Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-9949

Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100, DL2100, DL4100, PR2100 and PR4100 before firmware 2.31.183 are affected by a code execution (as root, starting from a low-privilege user session) vulnerability. The cgi-bin/webfile_mgr.cgi file allows arbitrary file write by abusing symlinks. Specifically, this occurs by uploading a tar archive that contains a symbolic link, then uploading another archive that writes a file to the link using the "cgi_untar" command. Other commands might also be susceptible. Code can be executed because the "name" parameter passed to the cgi_unzip command is not sanitized.

Published

2019-05-23T14:29:08.000

Last Modified

2024-11-21T04:52:39.470

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

8.0

Impact Score

10.0

Weaknesses
  • Type: Primary
    CWE-59
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System westerndigital my_cloud_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud - No
Operating System westerndigital my_cloud_mirror_gen2_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_mirror_gen2 - No
Operating System westerndigital my_cloud_ex2_ultra_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_ex2_ultra - No
Operating System westerndigital my_cloud_ex2100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_ex2100 - No
Operating System westerndigital my_cloud_ex4100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_ex4100 - No
Operating System westerndigital my_cloud_dl2100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_dl2100 - No
Operating System westerndigital my_cloud_dl4100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_dl4100 - No
Operating System westerndigital my_cloud_pr2100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_pr2100 - No
Operating System westerndigital my_cloud_pr4100_firmware < 2.31.183 Yes
Hardware westerndigital my_cloud_pr4100 - No
References