Auth bypass in Western Digital My Cloud
CVE-2022-22990
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation lo…
Vulnerability class: Broken Authentication
EPSS: 0.021 (79.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N.
Affected products
- Western Digital My Cloud — versions My Cloud OS 5
- Westerndigital My_cloud
- Westerndigital My_cloud_dl2100
- Westerndigital My_cloud_dl4100
- Westerndigital My_cloud_ex2100
- Westerndigital My_cloud_ex2_ultra
- Westerndigital My_cloud_ex4100
- Westerndigital My_cloud_mirror_gen_2
- Westerndigital My_cloud_os
- Westerndigital My_cloud_pr2100
Weakness classification (CWE)
References
- psirt@wdc.com (x_refsource_MISC, Vendor Advisory)
- psirt@wdc.com (VDB Entry, Third Party Advisory, x_refsource_MISC)
- psirt@wdc.com (VDB Entry, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-22990?
- CVE-2022-22990 is a high-severity vulnerability in Western Digital My Cloud, classified under Improper Authentication. CVSS score: 7.8/10. Published 2022-01-13.
- How severe is CVE-2022-22990?
- High severity. CVSS v3 base score is 7.8 out of 10.