Overview
- Description
- Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
- Source
- cve@mitre.org
- NVD status
- Modified
Risk scores
CVSS 3.0
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 10
- Impact score
- 10
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:C/I:C/A:C
Weaknesses
- nvd@nist.gov
- CWE-77
Social media
- Hype score
- Not currently trending
Vendor comments
- Western DigitalThis was resolved via My Cloud product firmware update 2.11.157 for the My Cloud EX2, EX4, and Mirror (Gen 1) models, and My Cloud product firmware update 2.21.126 for all other affected My Cloud models (My Cloud, PR 4100, PR2100, DL4100, DL2100, EX4100, EX2100, EX2 Ultra models). The firmware updates were made available December 20, 2016. The product firmware updates are available through the Update Firmware option on the My Cloud device itself or from the specific My Cloud product model’s support page at: http://support.wdc.com/downloads.aspx?g=904&lang=en#downloads .
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:western_digital:mycloud_nas:2.11.142:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4E266118-1758-4B64-A160-42FFD3869274"
}
],
"operator": "OR"
}
]
}
]