CVE-2023-22815 — MEDIUM (6.2)

Q: How severe is CVE-2023-22815?

CVE-2023-22815 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22815?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Os, Westerndigital My Cloud, Westerndigital My Cloud Dl2100, Westerndigital My Cloud Dl4100, Westerndigital My Cloud Ex2 Ultra.

Vulnerability Description

Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300.

CVSS Score

6.2

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Westerndigital	My Cloud Os	< 5.26.300
Westerndigital	My Cloud	-
Westerndigital	My Cloud Dl2100	-
Westerndigital	My Cloud Dl4100	-
Westerndigital	My Cloud Ex2 Ultra	-
Westerndigital	My Cloud Ex2100	-
Westerndigital	My Cloud Ex4100	-
Westerndigital	My Cloud Mirror G2	-
Westerndigital	My Cloud Pr2100	-
Westerndigital	My Cloud Pr4100	-
Westerndigital	Wd Cloud	-

Related Weaknesses (CWE)

CWE-78 CWE-77

References

https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmwVendor Advisory
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmwVendor Advisory

FAQ

What is CVE-2023-22815?

CVE-2023-22815 is a vulnerability with a CVSS score of 6.2 (MEDIUM). Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files...

How severe is CVE-2023-22815?

CVE-2023-22815 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22815?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Os, Westerndigital My Cloud, Westerndigital My Cloud Dl2100, Westerndigital My Cloud Dl4100, Westerndigital My Cloud Ex2 Ultra.