CVE-2022-29841: OS Command Injection vulnerability in Western Digital My Cloud devices
First published: Wed May 10 2023(Updated: )
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119.
Credit: psirt@wdc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Western Digital My Cloud OS 5 | >=5.02.104<5.26.119 | |
| Western Digital My Cloud OS 5 | ||
| westerndigital My Cloud dl2100 | ||
| westerndigital My Cloud dl4100 | ||
| westerndigital My Cloud ex2 ultra | ||
| westerndigital My Cloud ex2100 | ||
| westerndigital My Cloud ex4100 | ||
| Western Digital My Cloud Mirror Gen 2 | ||
| westerndigital My Cloud pr2100 | ||
| westerndigital My Cloud pr4100 | ||
| westerndigital wd Cloud |
Remedy
Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-29841?
CVE-2022-29841 refers to an OS Command Injection vulnerability found in certain versions of Western Digital My Cloud OS.
How does CVE-2022-29841 affect Western Digital My Cloud OS?
CVE-2022-29841 allows remote attackers to execute unauthorized commands with elevated privileges on affected versions of Western Digital My Cloud OS.
What is the severity of CVE-2022-29841?
CVE-2022-29841 has a severity score of 9.8 out of 10, indicating a critical vulnerability.
Which versions of Western Digital My Cloud OS are affected by CVE-2022-29841?
CVE-2022-29841 affects Western Digital My Cloud OS versions between 5.02.104 and 5.26.119, inclusive.
How can I fix CVE-2022-29841?
To fix CVE-2022-29841, it is recommended to update Western Digital My Cloud OS to version 5.26.119 or higher as provided by Western Digital.
- agent/weakness
- agent/type
- agent/severity
- agent/author
- agent/title
- agent/remedy
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/westerndigital
- canonical/western digital my cloud os 5
- version/western digital my cloud os 5/5.02.104
- canonical/westerndigital my cloud dl2100
- canonical/westerndigital my cloud dl4100
- canonical/westerndigital my cloud ex2 ultra
- canonical/westerndigital my cloud ex2100
- canonical/westerndigital my cloud ex4100
- canonical/western digital my cloud mirror gen 2
- canonical/westerndigital my cloud pr2100
- canonical/westerndigital my cloud pr4100
- canonical/westerndigital wd cloud