CVE-2022-22990 — HIGH (7.8)

Q: How severe is CVE-2022-22990?

CVE-2022-22990 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-22990?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Os, Westerndigital My Cloud, Westerndigital My Cloud Dl2100, Westerndigital My Cloud Dl4100, Westerndigital My Cloud Ex2 Ultra.

Vulnerability Description

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Westerndigital	My Cloud Os	< 5.19.117
Westerndigital	My Cloud	-
Westerndigital	My Cloud Dl2100	-
Westerndigital	My Cloud Dl4100	-
Westerndigital	My Cloud Ex2 Ultra	-
Westerndigital	My Cloud Ex2100	-
Westerndigital	My Cloud Ex4100	-
Westerndigital	My Cloud Mirror Gen 2	-
Westerndigital	My Cloud Pr2100	-
Westerndigital	My Cloud Pr4100	-
Westerndigital	Wd Cloud	-

Related Weaknesses (CWE)

CWE-287 CWE-697

References

https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-fVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-076/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-347/Third Party AdvisoryVDB Entry
https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-fVendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-076/Third Party AdvisoryVDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-347/Third Party AdvisoryVDB Entry

FAQ

What is CVE-2022-22990?

CVE-2022-22990 is a vulnerability with a CVSS score of 7.8 (HIGH). A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability...

How severe is CVE-2022-22990?

CVE-2022-22990 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-22990?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Os, Westerndigital My Cloud, Westerndigital My Cloud Dl2100, Westerndigital My Cloud Dl4100, Westerndigital My Cloud Ex2 Ultra.