Path Traversal Vulnerability leading to an arbitrary file read in Western Digital devices
CVE-2022-36328

5.8MEDIUM

Key Information:

Vendor

Western Digital

Status
My Cloud Home And My Cloud Home Duo
Ibi
My Cloud Os 5
Vendor
CVE Published:
18 May 2023

What is CVE-2022-36328?

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ibi Linux 0 < 9.4.0-191

My Cloud Home and My Cloud Home Duo Linux 0 < 9.4.0-191

My Cloud OS 5 Linux 0 < 5.26.202

References

https://www.westerndigital.com/support/product-security/w...
https://www.westerndigital.com/support/product-security/w...

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative
JSON
.