CVE-2022-22990 — Improper Authentication in Digital MY Cloud

CWE-287 — Improper Authentication CWE-697 — Incorrect Comparison2 documents2 sources

Severity

8.8HIGHNVD

EPSS

1.7%

top 17.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Western Digital MY Cloud Westerndigital MY Cloud OS

Timeline

PublishedJan 13

Latest updateJan 14

Description

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5western_digital/my_cloudMy Cloud OS 5 — 5.19.117

▶NVDwesterndigital/my_cloud_os< 5.19.117

🔴Vulnerability Details

GHSA

GHSA-qqqv-wfvc-wrgw: A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on↗2022-01-14

▶