Vulnerability Details : CVE-2023-22815
Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high.
This issue affects My Cloud OS 5 devices: before 5.26.300.
Vulnerability category: Execute code
Products affected by CVE-2023-22815
- cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22815
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22815
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H |
1.2
|
5.5
|
NIST | |
6.2
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H |
0.7
|
5.5
|
Western Digital |
CWE ids for CVE-2023-22815
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- psirt@wdc.com (Secondary)
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: psirt@wdc.com (Secondary)
References for CVE-2023-22815
-
https://www.westerndigital.com/support/product-security/wdc-23010-my-cloud-firmware-version-5-26-300
WDC-23010 My Cloud Firmware Version 5.26.300 | Western DigitalVendor Advisory
Jump to