CVE-2022-23000
Vulnerability from cvelistv5
Published
2022-07-25 18:46
Modified
2024-08-03 03:28
Severity ?
EPSS score ?
Summary
Weak Default SSL use in Port Forwarding Service
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Western Digital | My Cloud |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "My Cloud",
"vendor": "Western Digital",
"versions": [
{
"lessThan": "5.23.114",
"status": "affected",
"version": "My Cloud OS 5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T18:46:02",
"orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"shortName": "WDC PSIRT"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
],
"solutions": [
{
"lang": "en",
"value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak Default SSL use in Port Forwarding Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@wdc.com",
"ID": "CVE-2022-23000",
"STATE": "PUBLIC",
"TITLE": "Weak Default SSL use in Port Forwarding Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "My Cloud",
"version": {
"version_data": [
{
"platform": "Linux",
"version_affected": "\u003c",
"version_name": "My Cloud OS 5",
"version_value": "5.23.114"
}
]
}
}
]
},
"vendor_name": "Western Digital"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114",
"refsource": "MISC",
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
]
},
"solution": [
{
"lang": "en",
"value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"assignerShortName": "WDC PSIRT",
"cveId": "CVE-2022-23000",
"datePublished": "2022-07-25T18:46:02",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:43.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23000\",\"sourceIdentifier\":\"psirt@wdc.com\",\"published\":\"2022-07-25T19:15:30.787\",\"lastModified\":\"2022-08-03T18:30:01.360\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \\\"SSL\\\" context instead of \\\"TLS\\\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n web Western Digital My Cloud [https://os5.mycloud.com/] usa un SSLContext d\u00e9bil cuando intenta configurar reglas de reenv\u00edo de puertos. Esto fue habilitado para mantener la compatibilidad con routers dom\u00e9sticos antiguos o anticuados. Al usar un contexto \\\"SSL\\\" en lugar de \\\"TLS\\\" o especificar una comprobaci\u00f3n m\u00e1s fuerte, son permitidos protocolos obsoletos o no seguros. Como resultado, un usuario local no privilegiado puede explotar esta vulnerabilidad y poner en peligro la integridad, confidencialidad y autenticidad de la informaci\u00f3n transmitida. El alcance del impacto no puede extenderse a otros componentes y no es requerida ninguna entrada del usuario para explotar esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]},{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-757\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"20F89970-BE6B-4D54-B507-DBC44B1FD14F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF58260B-2131-402C-A9DA-67B188136DE1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"DB474374-298B-4A60-AB5C-C7422EF7FB57\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB0C2FD9-4792-4DA2-9698-E53109A499EC\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"DB3A72C6-7461-4916-B443-C3332AC458C1\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B78030F0-6655-4604-9D16-2FA1F3FD52FF\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"69DC6E33-18F7-45D7-9169-FA8888E74A7B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A581EBA-A1F2-4ABC-8183-29973A46FA43\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_mirror_g2_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"C9226338-8147-4C13-8556-BA5FA55FDD26\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DE090BC-C847-4DF7-9C5F-52A300845558\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"DDE68BF0-E806-40BB-862F-C440CA151A73\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E783EBC-7608-4527-B1AD-9B4E7A7A108C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"1EB1A9E9-1DC9-40F9-8606-D5BAC39FB651\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3034F4A-239C-4E38-9BD6-217361A7C519\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"17E97D4A-8015-4FEB-8450-ED8C70D4E702\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.23.114\",\"matchCriteriaId\":\"EA960F88-8DB3-4A9C-9303-51ED5FAF1A7A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A9EE86B-05EE-4F2E-A912-624DDCF9C41B\"}]}]}],\"references\":[{\"url\":\"https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114\",\"source\":\"psirt@wdc.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.