PT-2022-15761 · Western Digital · Western Digital Mycloud Pr4100

Martin Rakhmanov

Published

2022-01-13

Updated

2022-01-21

CVE-2022-22991

CVSS v3.1

8.8

High

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Western Digital MyCloud PR4100 (affected versions not specified)

Description A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. The issue was addressed by disabling checks for internet connectivity using HTTP.

Recommendations To resolve the issue, disable checks for internet connectivity using HTTP. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2022-22991

ZDI-22-077

Affected Products

Western Digital Mycloud Pr4100

PT-2022-15761 · Western Digital · Western Digital Mycloud Pr4100

CVE-2022-22991

Weakness Enumeration

Related Identifiers

Affected Products

References · 6