CVE-2022-23000

EPSS 0.05%
Published 25.07.2022 19:15:30
Last modified 21.11.2024 06:47:46
Source psirt@wdc.com
Teams watchlist Login
Open Login

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Westerndigital ≫ My Cloud Pr2100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Pr2100 Version-

Westerndigital ≫ My Cloud Pr4100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Pr4100 Version-

Westerndigital ≫ My Cloud Ex4100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Ex4100 Version-

Westerndigital ≫ My Cloud Ex2 Ultra Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Ex2 Ultra Version-

Westerndigital ≫ My Cloud Mirror G2 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Mirror G2 Version-

Westerndigital ≫ My Cloud Dl2100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Dl2100 Version-

Westerndigital ≫ My Cloud Dl4100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Dl4100 Version-

Westerndigital ≫ My Cloud Ex2100 Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Ex2100 Version-

Westerndigital ≫ My Cloud Firmware Version < 5.23.114

Westerndigital ≫ My Cloud Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.143

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
psirt@wdc.com	7.3	2.5	4.7	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-23000

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-23000

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-23000

EUVD