CVE-2022-22994

Summary

CVE	CVE-2022-22994
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-28 20:15:00 UTC
Updated	2022-03-15 16:37:00 UTC
Description	A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

Risk And Classification

Problem Types: CWE-345

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Westerndigital	My Cloud	-	All	All	All
Hardware	Westerndigital	My Cloud Dl2100	-	All	All	All
Hardware	Westerndigital	My Cloud Dl4100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2100	-	All	All	All
Hardware	Westerndigital	My Cloud Ex2 Ultra	-	All	All	All
Hardware	Westerndigital	My Cloud Ex4100	-	All	All	All
Hardware	Westerndigital	My Cloud Mirror Gen 2	-	All	All	All
Operating System	Westerndigital	My Cloud Os	All	All	All	All
Hardware	Westerndigital	My Cloud Pr2100	-	All	All	All
Hardware	Westerndigital	My Cloud Pr4100	-	All	All	All
Hardware	Westerndigital	Wd Cloud	-	All	All	All

References

Reference	Source	Link	Tags
WDC-22002 My Cloud OS 5 Firmware 5.19.117 \| Western Digital	MISC	www.westerndigital.com
ZDI-22-349 \| Zero Day Initiative	MISC	www.zerodayinitiative.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative

There are currently no legacy QID mappings associated with this CVE.