CVE-2022-22993

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-22993
A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.3 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:A/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 6.5 / Impact : 10.0

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-348/ Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:*
OR cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:-:*:*:*
cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2022-01-28 20:15

Updated : 2022-03-18 20:51

NVD link : CVE-2022-22993

Mitre link : CVE-2022-22993

CVE.ORG link : CVE-2022-22993

JSON object : View

Products Affected

westerndigital

  • my_cloud_ex2_ultra
  • my_cloud_pr4100
  • my_cloud_dl2100
  • wd_cloud
  • my_cloud_mirror_gen_2
  • my_cloud_ex2100
  • my_cloud_dl4100
  • my_cloud
  • my_cloud_pr2100
  • my_cloud_ex4100
  • my_cloud_os
CWE
CWE-918

Server-Side Request Forgery (SSRF)