| Description: | Summary:
Multiple Western Digital My Cloud products are prone to multiple
vulnerabilities.
Vulnerability Insight:
The following vulnerabilities exist / mitigation was done:
- Updated ffmpeg to version 7:4.1.9-0+deb10u1 to resolve DSA-5126-1 that could result in a denial
of service vulnerability
- Updated libtiff to version 4.4.0 to resolve CVE-2022-0561, CVE-2022-0562, CVE-2022-0865 that
could result in a denial of service vulnerability
- Updated TensorFlow to version 2.6.5 to resolve multiple CVEs (CVE-2022-29191 through
CVE-2022-29213) that could result in app crashes and denial of service vulnerability
- Updated multiple apps to resolve an issue which could result in Cross Site Scripting (XSS)
vulnerability
- CVE-2022-22999: An attacker with elevated privileges to access drives being backed up is able to
construct and inject JavaScript payloads into an authenticated user's browser
- CVE-2022-23000: Western Digital My Cloud Web App uses a weak SSLContext when attempting to
configure port forwarding rules. This was enabled to maintain compatibility with old or outdated
home routers. As a result, a local user with least privileges can exploit this vulnerability and
jeopardize the integrity, confidentiality and authenticity of information transmitted. This
vulnerability was resolved by enabling TLS ConnectionSwitching to a 'TLS' context instead of
'SSL'.
Affected Software/OS:
Western Digital My Cloud PR2100, My Cloud PR4100, My Cloud
EX4100, My Cloud EX2 Ultra, My Cloud Mirror Gen 2, My Cloud DL2100, My Cloud DL4100, My Cloud
EX2100, My Cloud and WD Cloud with firmware versions prior to 5.23.114.
Solution:
Update to firmware version 5.23.114 or later.
CVSS Score:
6.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
