9.8

CVE-2022-22994

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WesterndigitalMy Cloud Os Version < 5.19.117
   WesterndigitalMy Cloud Version- SwEdition-
   WesterndigitalMy Cloud Dl2100 Version-
   WesterndigitalMy Cloud Dl4100 Version-
   WesterndigitalMy Cloud Ex2 Ultra Version-
   WesterndigitalMy Cloud Ex2100 Version-
   WesterndigitalMy Cloud Ex4100 Version-
   WesterndigitalMy Cloud Mirror Gen 2 Version-
   WesterndigitalMy Cloud Pr2100 Version-
   WesterndigitalMy Cloud Pr4100 Version-
   WesterndigitalWd Cloud Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.8% 0.717
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
psirt@wdc.com 8.8 2.8 5.9
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.