CVE-2022-22991

Summary

CVE	CVE-2022-22991
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-13 21:15:00 UTC
Updated	2022-01-21 16:33:00 UTC
Description	A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

Risk And Classification

Problem Types: CWE-77

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Westerndigital	My Cloud	-	All	All	All
Hardware	Westerndigital	My Cloud Dl2100	-	All	All	All
Hardware	Westerndigital	My Cloud Dl4100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2 Ultra	-	All	All	All
Hardware	Westerndigital	My Cloud Ex4100	-	All	All	All
Hardware	Westerndigital	My Cloud Mirror Gen 2	-	All	All	All
Operating System	Westerndigital	My Cloud Os	All	All	All	All
Hardware	Westerndigital	My Cloud Pr2100	-	All	All	All
Hardware	Westerndigital	My Cloud Pr4100	-	All	All	All
Hardware	Westerndigital	Wd Cloud	-	All	All	All

References

Reference	Source	Link	Tags
ZDI-22-077 \| Zero Day Initiative	MISC	www.zerodayinitiative.com
WDC-22002 My Cloud OS 5 Firmware 5.19.117 \| Western Digital	MISC	www.westerndigital.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative

There are currently no legacy QID mappings associated with this CVE.