CVE-2022-22993

Summary

CVE	CVE-2022-22993
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-28 20:15:00 UTC
Updated	2022-03-18 20:51:00 UTC
Description	A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters.

Risk And Classification

Problem Types: CWE-918

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Westerndigital	My Cloud	-	All	All	All
Hardware	Westerndigital	My Cloud Dl2100	-	All	All	All
Hardware	Westerndigital	My Cloud Dl4100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2 Ultra	-	All	All	All
Hardware	Westerndigital	My Cloud Ex4100	-	All	All	All
Hardware	Westerndigital	My Cloud Mirror Gen 2	-	All	All	All
Operating System	Westerndigital	My Cloud Os	All	All	All	All
Hardware	Westerndigital	My Cloud Pr2100	-	All	All	All
Hardware	Westerndigital	My Cloud Pr4100	-	All	All	All
Hardware	Westerndigital	Wd Cloud	-	All	All	All

References

Reference	Source	Link	Tags
WDC-22002 My Cloud OS 5 Firmware 5.19.117 \| Western Digital	MISC	www.westerndigital.com
ZDI-22-348 \| Zero Day Initiative	MISC	www.zerodayinitiative.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

There are currently no legacy QID mappings associated with this CVE.