CVE-2023-22815 — OS Command Injection in Digital MY Cloud OS 5

CWE-78 — OS Command Injection CWE-77 — Command Injection2 documents2 sources

Severity

6.7MEDIUMNVD

EPSS

0.4%

top 41.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Western Digital MY Cloud OS 5 Westerndigital MY Cloud OS

Timeline

PublishedJun 30

Latest updateJul 1

Description

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must al…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:HExploitability: 1.2 | Impact: 5.5

Affected Packages2 packages

▶NVDwesterndigital/my_cloud_os< 5.26.300

▶CVEListV5western_digital/my_cloud_os_5< 5.26.300

🔴Vulnerability Details

GHSA

GHSA-j2rf-gr77-35c7: Post-authentication remote command injection vulnerabilities in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in↗2023-07-01

▶