Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-22815

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.

Published

2023-06-30T22:15:09.817

Last Modified

2024-11-21T07:45:28.330

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.2 (MEDIUM)

Weaknesses

Type: Secondary
CWE-78
Type: Primary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	westerndigital	my_cloud_os	< 5.26.300	Yes
Hardware	westerndigital	my_cloud	-	No
Hardware	westerndigital	my_cloud_dl2100	-	No
Hardware	westerndigital	my_cloud_dl4100	-	No
Hardware	westerndigital	my_cloud_ex2_ultra	-	No
Hardware	westerndigital	my_cloud_ex2100	-	No
Hardware	westerndigital	my_cloud_ex4100	-	No
Hardware	westerndigital	my_cloud_mirror_g2	-	No
Hardware	westerndigital	my_cloud_pr2100	-	No
Hardware	westerndigital	my_cloud_pr4100	-	No
Hardware	westerndigital	wd_cloud	-	No

References

https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300 Vendor Advisory ([email protected])
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)