CVE-2022-22989 (GCVE-0-2022-22989)
Vulnerability from cvelistv5 – Published: 2022-01-13 20:27 – Updated: 2024-08-03 03:28
VLAI
Title
Pre-authenticated stack overflow vulnerability on FTP Service
Summary
My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.
Severity
9.8 (Critical)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.westerndigital.com/support/product-se… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Western Digital | My Cloud |
Affected:
My Cloud OS 5 , < 5.19.117
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "My Cloud",
"vendor": "Western Digital",
"versions": [
{
"lessThan": "5.19.117",
"status": "affected",
"version": "My Cloud OS 5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMy Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.\u003c/p\u003e"
}
],
"value": "My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-12T20:41:26.870Z",
"orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"shortName": "WDC PSIRT"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate your My Cloud device to firmware version 5.19.117.\u003c/p\u003e"
}
],
"value": "Update your My Cloud device to firmware version 5.19.117."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Pre-authenticated stack overflow vulnerability on FTP Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@wdc.com",
"ID": "CVE-2022-22989",
"STATE": "PUBLIC",
"TITLE": "Pre-authenticated stack overflow vulnerability on FTP Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "My Cloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "My Cloud OS 5",
"version_value": "5.19.117"
}
]
}
}
]
},
"vendor_name": "Western Digital"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-121 Stack-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117",
"refsource": "MISC",
"url": "https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update your My Cloud device to firmware version 5.19.117."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"assignerShortName": "WDC PSIRT",
"cveId": "CVE-2022-22989",
"datePublished": "2022-01-13T20:27:24.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:28:42.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-22989",
"date": "2026-06-01",
"epss": "0.01234",
"percentile": "0.79506"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"5.19.117\", \"matchCriteriaId\": \"9B585AE9-1F28-42D7-B16D-75BF1CB8A054\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3A9EE86B-05EE-4F2E-A912-624DDCF9C41B\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E783EBC-7608-4527-B1AD-9B4E7A7A108C\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F3034F4A-239C-4E38-9BD6-217361A7C519\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A581EBA-A1F2-4ABC-8183-29973A46FA43\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B78030F0-6655-4604-9D16-2FA1F3FD52FF\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5695E842-1561-4A4F-901F-6EC07F558989\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BF58260B-2131-402C-A9DA-67B188136DE1\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB0C2FD9-4792-4DA2-9698-E53109A499EC\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8FDE0337-4329-4CE3-9B0B-61BE8361E910\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Mi Cloud OS 5 era vulnerable a una vulnerabilidad de desbordamiento de pila preautenticada en el servicio FTP. Se abord\\u00f3 la vulnerabilidad a\\u00f1adiendo defensas contra los problemas de desbordamiento de pila\"}]",
"id": "CVE-2022-22989",
"lastModified": "2024-11-21T06:47:45.200",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@wdc.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-01-13T21:15:08.863",
"references": "[{\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117\", \"source\": \"psirt@wdc.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@wdc.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@wdc.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-22989\",\"sourceIdentifier\":\"psirt@wdc.com\",\"published\":\"2022-01-13T21:15:08.863\",\"lastModified\":\"2026-02-24T20:22:49.697\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.\"},{\"lang\":\"es\",\"value\":\"Mi Cloud OS 5 era vulnerable a una vulnerabilidad de desbordamiento de pila preautenticada en el servicio FTP. Se abord\u00f3 la vulnerabilidad a\u00f1adiendo defensas contra los problemas de desbordamiento de pila\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_os:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.19.117\",\"matchCriteriaId\":\"9B585AE9-1F28-42D7-B16D-75BF1CB8A054\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A9EE86B-05EE-4F2E-A912-624DDCF9C41B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E783EBC-7608-4527-B1AD-9B4E7A7A108C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3034F4A-239C-4E38-9BD6-217361A7C519\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A581EBA-A1F2-4ABC-8183-29973A46FA43\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B78030F0-6655-4604-9D16-2FA1F3FD52FF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5695E842-1561-4A4F-901F-6EC07F558989\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF58260B-2131-402C-A9DA-67B188136DE1\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB0C2FD9-4792-4DA2-9698-E53109A499EC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8FDE0337-4329-4CE3-9B0B-61BE8361E910\"}]}]}],\"references\":[{\"url\":\"https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117\",\"source\":\"psirt@wdc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…