First published: Wed May 10 2023(Updated: )
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Westerndigital My Cloud Os | >=5.02.104<5.26.119 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror G2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud |
Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-29841 refers to an OS Command Injection vulnerability found in certain versions of Western Digital My Cloud OS.
CVE-2022-29841 allows remote attackers to execute unauthorized commands with elevated privileges on affected versions of Western Digital My Cloud OS.
CVE-2022-29841 has a severity score of 9.8 out of 10, indicating a critical vulnerability.
CVE-2022-29841 affects Western Digital My Cloud OS versions between 5.02.104 and 5.26.119, inclusive.
To fix CVE-2022-29841, it is recommended to update Western Digital My Cloud OS to version 5.26.119 or higher as provided by Western Digital.