CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29842 – Command Injection Vulnerability in Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29842
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: before 5.26.119. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Western Digital MyCloud PR4100 NAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the account_mgr cgi script. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. • https://www.westerndigital.com/support/product-security/wdc-23002-my-cloud-firmware-version-5-26-119 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-29839 – Remote Backups Application Discloses Stored Credentials
https://notcve.org/view.php?id=CVE-2022-29839
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. Vulnerabilidad de credenciales insuficientemente protegidas en la aplicación de copias de seguridad remotas en dispositivos Western Digital My Cloud que podría permitir que un atacante que haya obtenido acceso a un endpoint relevante use esa información para acceder a datos protegidos. Este problema afecta: Versiones de Western Digital My Cloud My Cloud anteriores a la 5.25.124 en Linux. • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.6EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29838 – Authentication issue with the encrypted volumes and auto mount feature in My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29838
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. La vulnerabilidad de autenticación inadecuada en los volúmenes cifrados y las funciones de montaje automático de los dispositivos Western Digital My Cloud permite un acceso directo inseguro a la información de la unidad en el caso de un reinicio del dispositivo. Este problema afecta: Versiones de Western Digital My Cloud My Cloud anteriores a la 5.25.124 en Linux. • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0CVE-2022-22995 – Western Digital My Cloud OS 5 and My Cloud Home Unauthenticated Arbitrary File Write Vulnerability in Netatalk
https://notcve.org/view.php?id=CVE-2022-22995
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code. La combinación de primitivas que ofrecen SMB y AFP en su configuración por defecto permite la escritura arbitraria de archivos. Al explotar esta combinación de primitivas, un atacante puede ejecutar código arbitrario • https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2 https://security.gentoo.org/glsa/202311-02 https://www.westerndigital.com/support/product-security/wdc& • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 5%CPEs: 11EXPL: 0CVE-2022-22994 – Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22994
A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. Se ha detectado una vulnerabilidad de ejecución de código remota en los dispositivos My Cloud de Western Digital donde un atacante podía engañar a un dispositivo NAS para cargar mediante una llamada HTTP no segura. Esto era el resultado de una verificación insuficiente de las llamadas al dispositivo. • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 https://www.zerodayinitiative.com/advisories/ZDI-22-349 • CWE-345: Insufficient Verification of Data Authenticity •