CVE-2022-22992 — Improper Encoding or Escaping of Output in MY Cloud OS

CWE-116 — Improper Encoding or Escaping of Output CWE-77 — Command Injection2 documents2 sources

Severity

9.8CRITICALNVD

EPSS

0.9%

top 24.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Westerndigital MY Cloud OS

Timeline

PublishedJan 28

Latest updateJan 29

Description

A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDwesterndigital/my_cloud_os< 5.19.117

🔴Vulnerability Details

GHSA

GHSA-3mm5-rh7g-ph5j: A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arb↗2022-01-29

▶