CVE Published: 30/06/2023 |
CVE Updated: 06/11/2024 |
CVE Year: 2023 Source: WDC PSIRT |
Vendor: Western Digital |
Product: My Cloud OS 5 Status : PUBLISHED
CVE-2023-22815 Description
Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high.
This issue affects My Cloud OS 5 devices: before 5.26.300.
Metrics
CVSS Version: 3.1 |
Base Score: 6.2 MEDIUM Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* NETWORK Attack Complexity (AC)* HIGH Privileges Required (PR)* HIGH User Interaction (UI)* NONE Scope (S)* UNCHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* LOW Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-78 CWE Name: CWE-78 Improper Neutralization of Special Elements used in an OS Command (
OS Command Injection
) Source: Western Digital
Common Attack Pattern Enumeration and Classification (CAPEC)