CVE-2022-36328

Published: May 18, 2023Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Affected (4)

Products: Westerndigital: My Cloud Os 5, My Cloud Home Firmware, Sandisk Ibi Firmware, My Cloud Home Duo Firmware

Westerndigital

4 products

My Cloud Os 5

My Cloud Home Firmware

Sandisk Ibi Firmware

My Cloud Home Duo Firmware

Configuration A

1 vulnerable · 10 platform

Vulnerable Software	Affected Versions
Westerndigital My Cloud Os 5	Before 5.26.202

Running on/with	Platform Versions
Westerndigital My Cloud	All versions
Westerndigital My Cloud Dl2100	All versions
Westerndigital My Cloud Dl4100	All versions
Westerndigital My Cloud Ex2100	All versions
Westerndigital My Cloud Ex2 Ultra	All versions
Westerndigital My Cloud Ex4100	All versions
Westerndigital My Cloud Mirror G2	All versions
Westerndigital My Cloud Pr2100	All versions
Westerndigital My Cloud Pr4100	All versions
Westerndigital Wd Cloud	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Westerndigital My Cloud Home Firmware	Before 9.4.0-191

Running on/with	Platform Versions
Westerndigital My Cloud Home	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Westerndigital Sandisk Ibi Firmware	Before 9.4.0-191

Running on/with	Platform Versions
Westerndigital Sandisk Ibi	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Westerndigital My Cloud Home Duo Firmware	Before 9.4.0-191

Running on/with	Platform Versions
Westerndigital My Cloud Home Duo	All versions

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191

Source: psirt@wdc.com

Release NotesVendor Advisory

https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202

Source: psirt@wdc.com

Release NotesVendor Advisory

https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.