Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-22990

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

Published

2022-01-13T21:15:08.917

Last Modified

2024-11-21T06:47:45.363

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

CVSSv2 Vector

AV:A/AC:L/Au:N/C:C/I:C/A:C

  • Access Vector: ADJACENT_NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: COMPLETE
  • Integrity Impact: COMPLETE
  • Availability Impact: COMPLETE
Exploitability Score

6.5

Impact Score

10.0

Weaknesses
  • Type: Secondary
    CWE-287
  • Type: Primary
    CWE-697
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Operating System westerndigital my_cloud_os < 5.19.117 Yes
Hardware westerndigital my_cloud - No
Hardware westerndigital my_cloud_dl2100 - No
Hardware westerndigital my_cloud_dl4100 - No
Hardware westerndigital my_cloud_ex2_ultra - No
Hardware westerndigital my_cloud_ex2100 - No
Hardware westerndigital my_cloud_ex4100 - No
Hardware westerndigital my_cloud_mirror_gen_2 - No
Hardware westerndigital my_cloud_pr2100 - No
Hardware westerndigital my_cloud_pr4100 - No
Hardware westerndigital wd_cloud - No
References