CVE-2019-9951 — CRITICAL (9.8)

Q: How severe is CVE-2019-9951?

CVE-2019-9951 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-9951?

Check the references section above for vendor advisories and patch information. Affected products include: Western Digital My Cloud Mirror Gen 2 Firmware, Western Digital My Cloud Mirror Gen 2, Western Digital My Cloud Ex2 Ultra Firmware, Western Digital My Cloud Ex2 Ultra, Western Digital My Cloud Ex2100 Firmware.

Vulnerability Description

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php can be accessed without any credentials, and allows uploading arbitrary files to any location on the attached storage.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Western Digital	My Cloud Mirror Gen 2 Firmware	< 2.31.174
Western Digital	My Cloud Mirror Gen 2	-
Western Digital	My Cloud Ex2 Ultra Firmware	< 2.31.174
Western Digital	My Cloud Ex2 Ultra	-
Western Digital	My Cloud Ex2100 Firmware	< 2.31.174
Western Digital	My Cloud Ex2100	-
Western Digital	My Cloud Ex4100	< 2.31.174
Western Digital	My Cloud Dl2100	< 2.31.174
Western Digital	My Cloud Dl4100 Firmware	< 2.31.174
Western Digital	My Cloud Dl4100	-
Western Digital	My Cloud Pr2100 Firmware	< 2.31.174
Western Digital	My Cloud Pr2100	-
Western Digital	My Cloud Pr4100	< 2.31.174
Western Digital	My Cloud Firmware	< 2.31.174
Western Digital	My Cloud	-

Related Weaknesses (CWE)

CWE-434

References

https://bnbdr.github.io/posts/wd/
https://community.wd.com/t/new-release-my-cloud-firmware-versions-2-31-174-3-26-Release NotesThird Party Advisory
https://github.com/bnbdr/wd-rce/
https://support.wdc.com/downloads.aspx?g=2702&lang=enThird Party Advisory
https://bnbdr.github.io/posts/wd/
https://community.wd.com/t/new-release-my-cloud-firmware-versions-2-31-174-3-26-Release NotesThird Party Advisory
https://github.com/bnbdr/wd-rce/
https://support.wdc.com/downloads.aspx?g=2702&lang=enThird Party Advisory

FAQ

What is CVE-2019-9951?

CVE-2019-9951 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is ...

How severe is CVE-2019-9951?

CVE-2019-9951 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-9951?

Check the references section above for vendor advisories and patch information. Affected products include: Western Digital My Cloud Mirror Gen 2 Firmware, Western Digital My Cloud Mirror Gen 2, Western Digital My Cloud Ex2 Ultra Firmware, Western Digital My Cloud Ex2 Ultra, Western Digital My Cloud Ex2100 Firmware.