CVE-2022-23000 — HIGH (7.3)

Q: How severe is CVE-2022-23000?

CVE-2022-23000 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-23000?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Pr2100 Firmware, Westerndigital My Cloud Pr2100, Westerndigital My Cloud Pr4100 Firmware, Westerndigital My Cloud Pr4100, Westerndigital My Cloud Ex4100 Firmware.

Vulnerability Description

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Westerndigital	My Cloud Pr2100 Firmware	< 5.23.114
Westerndigital	My Cloud Pr2100	-
Westerndigital	My Cloud Pr4100 Firmware	< 5.23.114
Westerndigital	My Cloud Pr4100	-
Westerndigital	My Cloud Ex4100 Firmware	< 5.23.114
Westerndigital	My Cloud Ex4100	-
Westerndigital	My Cloud Ex2 Ultra Firmware	< 5.23.114
Westerndigital	My Cloud Ex2 Ultra	-
Westerndigital	My Cloud Mirror G2 Firmware	< 5.23.114
Westerndigital	My Cloud Mirror G2	-
Westerndigital	My Cloud Dl2100 Firmware	< 5.23.114
Westerndigital	My Cloud Dl2100	-
Westerndigital	My Cloud Dl4100 Firmware	< 5.23.114
Westerndigital	My Cloud Dl4100	-
Westerndigital	My Cloud Ex2100 Firmware	< 5.23.114
Westerndigital	My Cloud Ex2100	-
Westerndigital	My Cloud Firmware	< 5.23.114
Westerndigital	My Cloud	-

Related Weaknesses (CWE)

CWE-757

References

https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmwVendor Advisory
https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmwVendor Advisory

FAQ

What is CVE-2022-23000?

CVE-2022-23000 is a vulnerability with a CVSS score of 7.3 (HIGH). The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdat...

How severe is CVE-2022-23000?

CVE-2022-23000 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-23000?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Pr2100 Firmware, Westerndigital My Cloud Pr2100, Westerndigital My Cloud Pr4100 Firmware, Westerndigital My Cloud Pr4100, Westerndigital My Cloud Ex4100 Firmware.