CVE-2022-22991

Summary

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

Affected Software

VendorProductVersion RangeStatus
Western DigitalMy CloudMy Cloud OS 5 < 5.19.117affected

Weaknesses

  • CWE-78: CWE-78 OS Command Injection

ADP Enrichment

CVE Program Container

Additional References

References