CVE-2022-36331 | Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, … | CVSS 10.0 CRITICAL

Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.

Metadata

CVE ID: CVE-2022-36331
State: PUBLISHED
Assigner: WDC PSIRT
Reserved: 2022-07-20 13:57 UTC
Published: 2023-06-12 17:57 UTC
Last updated: 2025-01-03 14:48 UTC
Primary CWE: CWE-290
CWE-290 Authentication Bypass by Spoofing
Vendor / Product: Western Digital / My Cloud OS 5
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (3)

Vendor	Product	Platform	Versions
SanDisk	ibi	Linux	0 < 8.13.1-102
Western Digital	My Cloud Home and My Cloud Home Duo	Linux	0 < 8.13.1-102
Western Digital	My Cloud OS 5	Linux	0 < 5.25.132

Weakness (CWE)

CWE	Source	Description
CWE-290	cna	CWE-290 Authentication Bypass by Spoofing

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update