First published: Fri Jan 28 2022(Updated: )
A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Western Digital MyCloud PR4100 | ||
Westerndigital My Cloud Os | <5.19.117 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror Gen 2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud |
Update your My Cloud device to firmware version 5.19.117.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-22993 is a vulnerability that allows network-adjacent attackers to escalate privileges on Western Digital MyCloud PR4100 devices.
The severity of CVE-2022-22993 is rated as high, with a CVSS score of 8.8.
The affected software versions are Western Digital My Cloud OS up to version 5.19.117.
To exploit CVE-2022-22993, network-adjacent attackers need to bypass the existing authentication mechanism on affected Western Digital MyCloud PR4100 devices.
Yes, Western Digital has released firmware version 5.19.117 for My Cloud OS5, which addresses the vulnerability. It is recommended to update to this version to fix CVE-2022-22993.