Note:
This project will be discontinued after December 13, 2021. [more]
Product:
My_cloud_os
(Westerndigital)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 18 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-02-06 | CVE-2021-36224 | Western Digital My Cloud devices before OS5 have a nobody account with a blank password. | My_cloud_os | 9.8 | ||
| 2023-02-06 | CVE-2021-36226 | Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files. | My_cloud_os | 9.8 | ||
| 2022-12-09 | CVE-2022-29838 | Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. | My_cloud_os | 4.6 | ||
| 2022-12-09 | CVE-2022-29839 | Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. | My_cloud_os | 5.5 | ||
| 2022-01-28 | CVE-2022-22993 | A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. | My_cloud_os | 8.8 | ||
| 2022-01-28 | CVE-2022-22994 | A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. | My_cloud_os | 9.8 | ||
| 2022-01-13 | CVE-2022-22991 | A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP. | My_cloud_os | 8.8 | ||
| 2021-03-10 | CVE-2021-3310 | Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files). | My_cloud_os | 7.8 |