Lucene search

[email protected]CVE-2022-36328

HistoryMay 18, 2023 - 6:15 p.m.

CVE-2022-36328

2023-05-1818:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve

2022

36328

path traversal

vulnerability

western digital

my cloud

security

nvd

authentication bypass

root privileges

devices

data exfiltration

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.6%

JSON

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Affected configurations

NVD

Node

westerndigitalmy_cloud_os_5Range<5.26.202

AND

westerndigitalmy_cloudMatch-

westerndigitalmy_cloud_dl2100Match-

westerndigitalmy_cloud_dl4100Match-

westerndigitalmy_cloud_ex2_ultraMatch-

westerndigitalmy_cloud_ex2100Match-

westerndigitalmy_cloud_ex4100Match-

westerndigitalmy_cloud_mirror_g2Match-

westerndigitalmy_cloud_pr2100Match-

westerndigitalmy_cloud_pr4100Match-

westerndigitalwd_cloudMatch-

Node

westerndigitalmy_cloud_home_firmwareRange<9.4.0-191

AND

westerndigitalmy_cloud_homeMatch-

Node

westerndigitalsandisk_ibi_firmwareRange<9.4.0-191

AND

westerndigitalsandisk_ibiMatch-

Node

westerndigitalmy_cloud_home_duo_firmwareRange<9.4.0-191

AND

westerndigitalmy_cloud_home_duoMatch-

CPENameOperatorVersion
westerndigital:my_cloud_os_5westerndigital my cloud os 5lt5.26.202

CPE	Name	Operator	Version
westerndigital:my_cloud_os_5	westerndigital my cloud os 5	lt	5.26.202

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "My Cloud Home and My Cloud Home Duo",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "9.4.0-191",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "ibi",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": "9.4.0-191",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "My Cloud OS 5",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "5.26.202",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]