PT-2020-17073 · Western Digital · Western Digital My Cloud Os 5

Carlos Su

Published

2020-12-01

Updated

2022-04-26

CVE-2020-28971

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud OS 5 versions prior to 5.06.115

Description An issue was discovered that could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths. This is due to a NAS Admin authentication bypass, which could be exploited by an unauthenticated user.

Recommendations For Western Digital My Cloud OS 5 versions prior to 5.06.115, update to version 5.06.115 or later to resolve the issue. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2020-28971

ZDI-20-1447

Affected Products

Western Digital My Cloud Os 5

PT-2020-17073 · Western Digital · Western Digital My Cloud Os 5

CVE-2020-28971

Weakness Enumeration

Related Identifiers

Affected Products

References · 7