Vulnerabilites related to westerndigital - my_cloud_home_firmware
cve-2023-22819
Vulnerability from cvelistv5
Published
2024-02-05 21:26
Modified
2024-09-05 22:47
Summary
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.
Impacted products
Vendor Product Version
Western Digital My Cloud OS 5 Version: 0   < 5.27.161
Western Digital My Cloud Home & Duo Version: 0   < 9.5.1-104
SanDisk ibi Version: 0   < 9.5.1-104
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-22819",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-06-07T16:00:14.828373Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-06-07T16:00:24.870Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T10:20:30.729Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.27.161",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home & Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "9.5.1-104",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "9.5.1-104",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.</span>",
                  },
               ],
               value: "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 4.9,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-770",
                     description: "CWE-770 Allocation of Resources Without Limits or Throttling",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-09-05T22:47:28.039Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p></p><div><div><p><span style=\"background-color: var(--wht);\">For My Cloud OS 5 devices, <span style=\"background-color: rgb(255, 255, 255);\">Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.</span></span></p><p><span style=\"background-color: var(--wht);\">My Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.</span></p></div></div><div><div><div></div></div></div><p></p>",
                  },
               ],
               value: "For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.\n\nMy Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Uncontrolled resource consumption vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2023-22819",
      datePublished: "2024-02-05T21:26:53.171Z",
      dateReserved: "2023-01-06T20:23:44.301Z",
      dateUpdated: "2024-09-05T22:47:28.039Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36328
Vulnerability from cvelistv5
Published
2023-05-18 17:55
Modified
2025-01-22 14:39
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
Impacted products
Vendor Product Version
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 9.4.0-191
SanDisk ibi Version: 0   < 9.4.0-191
Western Digital My Cloud OS 5 Version: 0   < 5.26.202
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.308Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-36328",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-22T14:38:58.012086Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-22T14:39:06.257Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.26.202",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative ",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability <span style=\"background-color: rgb(255, 255, 255);\">that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered&nbsp;</span>in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.<p>This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.</p>",
                  },
               ],
               value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-05-18T17:55:02.517Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
            },
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "\n\n\n\n\n\n\n\n\n\n\n<p>For My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.</p>\n\n<p>For My Cloud OS 5 devices, Western Digital recommends\nthat users promptly update their devices to the latest firmware by clicking on\nthe firmware update notification.</p>",
                  },
               ],
               value: "\n\n\n\n\n\n\n\n\n\nFor My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.\n\n\n\nFor My Cloud OS 5 devices, Western Digital recommends\nthat users promptly update their devices to the latest firmware by clicking on\nthe firmware update notification.\n\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Path Traversal Vulnerability leading to an arbitrary file read in Western Digital devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36328",
      datePublished: "2023-05-18T17:55:02.517Z",
      dateReserved: "2022-07-20T13:57:56.404Z",
      dateUpdated: "2025-01-22T14:39:06.257Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36331
Vulnerability from cvelistv5
Published
2023-06-12 17:57
Modified
2025-01-03 14:48
Severity ?
Summary
Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.
Impacted products
Vendor Product Version
Western Digital My Cloud OS 5 Version: 0   < 5.25.132
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 8.13.1-102
SanDisk ibi Version: 0   < 8.13.1-102
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.251Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-36331",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-03T14:47:57.847828Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-03T14:48:13.386Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.25.132",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 8.13.1-102",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: " 8.13.1-102",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Claroty Research, Team82 – Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.</span><br><p>This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.</p>",
                  },
               ],
               value: "Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.\nThis issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-290",
                     description: "CWE-290 Authentication Bypass by Spoofing",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-06-12T17:57:51.994Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices have been or will be automatically updated to the latest firmware version. Cloud access will not be available until your My Cloud Home/My Cloud Home Duo/SanDisk ibi device has been updated to firmware version 8.13.1-102 or above. Please refer to this <a target=\"_blank\" rel=\"nofollow\" href=\"https://support-en.wd.com/app/answers/detailweb/a_id/50563\">KBA</a>.</p><p>Users of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. Cloud access will not be available until your My Cloud device has been updated to firmware version 5.25.132 or above. Please refer to this <a target=\"_blank\" rel=\"nofollow\" href=\"https://support-en.wd.com/app/answers/detailweb/a_id/50564\">KBA</a>.</p>",
                  },
               ],
               value: "All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices have been or will be automatically updated to the latest firmware version. Cloud access will not be available until your My Cloud Home/My Cloud Home Duo/SanDisk ibi device has been updated to firmware version 8.13.1-102 or above. Please refer to this  KBA https://support-en.wd.com/app/answers/detailweb/a_id/50563 .\n\nUsers of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. Cloud access will not be available until your My Cloud device has been updated to firmware version 5.25.132 or above. Please refer to this  KBA https://support-en.wd.com/app/answers/detailweb/a_id/50564 .\n\n",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Impersonation attack causing an Authentication Bypass on Western Digital devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36331",
      datePublished: "2023-06-12T17:57:51.994Z",
      dateReserved: "2022-07-20T13:57:56.405Z",
      dateUpdated: "2025-01-03T14:48:13.386Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-22997
Vulnerability from cvelistv5
Published
2022-07-12 20:22
Modified
2024-08-03 03:28
Summary
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.
Impacted products
Vendor Product Version
Western Digital My Cloud Home Version: My Cloud Home Firmware   < 8.5.1-102
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:28:42.830Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.5.1-102",
                     status: "affected",
                     version: "My Cloud Home Firmware",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Western Digital would like to thank Viettel Cyber Security for reporting this issue.",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-78",
                     description: "CWE-78 OS Command Injection",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-07-12T20:22:36",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "My Cloud Home devices have been automatically updated to resolve this vulnerability",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Command Injection Vulnerability on My Cloud Home",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "psirt@wdc.com",
               ID: "CVE-2022-22997",
               STATE: "PUBLIC",
               TITLE: "Command Injection Vulnerability on My Cloud Home",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "My Cloud Home",
                                 version: {
                                    version_data: [
                                       {
                                          platform: "Linux",
                                          version_affected: "<",
                                          version_name: "My Cloud Home Firmware",
                                          version_value: "8.5.1-102",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Western Digital",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "Western Digital would like to thank Viettel Cyber Security for reporting this issue.",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-78 OS Command Injection",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
                     refsource: "MISC",
                     url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
                  },
               ],
            },
            solution: [
               {
                  lang: "en",
                  value: "My Cloud Home devices have been automatically updated to resolve this vulnerability",
               },
            ],
            source: {
               discovery: "EXTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-22997",
      datePublished: "2022-07-12T20:22:36",
      dateReserved: "2022-01-10T00:00:00",
      dateUpdated: "2024-08-03T03:28:42.830Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36326
Vulnerability from cvelistv5
Published
2023-05-18 17:53
Modified
2025-01-22 14:32
Summary
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
Impacted products
Vendor Product Version
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 9.4.0-191
SanDisk ibi Version: 0   < 9.4.0-191
Western Digital My Cloud OS 5 Version: 0   < 5.26.202
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.241Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-36326",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-22T14:31:41.964074Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-22T14:32:18.905Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.26.202",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.<p>This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.</p>",
                  },
               ],
               value: "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 4.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400 Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-05-18T17:53:21.372Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
            },
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<span style=\"background-color: rgb(255, 255, 255);\">For My Cloud Home, My Cloud Home Duo and SanDisk ibi devices&nbsp;</span>will be automatically updated to reflect the latest firmware version.<br><span style=\"background-color: rgb(255, 255, 255);\">For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.</span><br>",
                  },
               ],
               value: "For My Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.\nFor My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Resource Exhaustion Vulnerability in Western Digital devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36326",
      datePublished: "2023-05-18T17:53:21.372Z",
      dateReserved: "2022-07-20T13:57:56.403Z",
      dateUpdated: "2025-01-22T14:32:18.905Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-22995
Vulnerability from cvelistv5
Published
2022-03-25 00:00
Modified
2024-08-03 03:28
Severity ?
Summary
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.
Impacted products
Vendor Product Version
Western Digital My Cloud Version: My Cloud OS 5   < 5.19.117
Western Digital My Cloud Home Version: My Cloud Home   < 7.16-220
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:28:42.925Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities",
               },
               {
                  name: "FEDORA-2023-cec97f7b5d",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/",
               },
               {
                  name: "FEDORA-2023-ef901c862c",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/",
               },
               {
                  name: "GLSA-202311-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202311-02",
               },
               {
                  name: "FEDORA-2023-39f0ec3879",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/",
               },
               {
                  name: "[debian-lts-announce] 20240104 [SECURITY] [DLA 3706-1] netatalk security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 5.19.117",
                     status: "affected",
                     version: "My Cloud OS 5",
                     versionType: "custom",
                  },
               ],
            },
            {
               platforms: [
                  "Android ",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 7.16-220",
                     status: "affected",
                     version: "My Cloud Home",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool__) from Synacktiv working with Trend Micro’s Zero Day Initiative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-59",
                     description: "CWE-59 Improper Link Resolution Before File Access ('Link Following')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-04T22:06:13.592937",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities",
            },
            {
               name: "FEDORA-2023-cec97f7b5d",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/",
            },
            {
               name: "FEDORA-2023-ef901c862c",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/",
            },
            {
               name: "GLSA-202311-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202311-02",
            },
            {
               name: "FEDORA-2023-39f0ec3879",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/",
            },
            {
               name: "[debian-lts-announce] 20240104 [SECURITY] [DLA 3706-1] netatalk security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Western Digital My Cloud OS 5 and My Cloud Home Unauthenticated Arbitrary File Write Vulnerability in Netatalk",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-22995",
      datePublished: "2022-03-25T00:00:00",
      dateReserved: "2022-01-10T00:00:00",
      dateUpdated: "2024-08-03T03:28:42.925Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-22817
Vulnerability from cvelistv5
Published
2024-02-05 21:26
Modified
2024-08-02 10:20
Summary
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. 
Impacted products
Vendor Product Version
Western Digital My Cloud OS 5 Version: 0   < 5.27.161
Western Digital My Cloud Home & Duo Version: 0   < 9.5.1-104
SanDisk ibi Version: 0   < 9.5.1-104
Show details on NVD website


{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-22817",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-02-06T15:36:16.188338Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-05T17:21:32.355Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T10:20:31.069Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.27.161",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home & Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "9.5.1-104",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "9.5.1-104",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">by fixing DNS addresses that refer to loopback. </span>This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.&nbsp;<br>",
                  },
               ],
               value: "Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. \n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 5.5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-918",
                     description: "CWE-918 Server-Side Request Forgery (SSRF)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-02-05T21:26:42.020Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<div><div><p><span style=\"background-color: var(--wht);\">For My Cloud OS 5 devices,&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.</span></span></p><p><span style=\"background-color: var(--wht);\">My Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.</span><br></p></div><div></div></div><div><div><div><div><br></div></div></div></div><br>",
                  },
               ],
               value: "For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.\n\nMy Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2023-22817",
      datePublished: "2024-02-05T21:26:42.020Z",
      dateReserved: "2023-01-06T20:23:44.301Z",
      dateUpdated: "2024-08-02T10:20:31.069Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-29836
Vulnerability from cvelistv5
Published
2022-11-09 00:00
Modified
2024-08-03 06:33
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux.
Impacted products
Vendor Product Version
Western Digital My Cloud Home Version: My Cloud Home   < 8.11.0-113
Version: My Cloud Home Duo   < 8.11.0-113
SanDisk ibi Version: ibi   < 8.11.0-113
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T06:33:42.762Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-22016-my-cloud-home-ibi-firmware-version-8-11-0-113",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.11.0-113",
                     status: "affected",
                     version: "My Cloud Home ",
                     versionType: "custom",
                  },
                  {
                     lessThan: "8.11.0-113",
                     status: "affected",
                     version: "My Cloud Home Duo",
                     versionType: "custom",
                  },
               ],
            },
            {
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "8.11.0-113",
                     status: "affected",
                     version: "ibi",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-11-11T00:00:00",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-22016-my-cloud-home-ibi-firmware-version-8-11-0-113",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "Your My Cloud Home and ibi device will be automatically updated to reflect the latest firmware version.",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Post-Auth Path Traversal Vulnerability Allows to Custom Package Installation via HTTP API",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-29836",
      datePublished: "2022-11-09T00:00:00",
      dateReserved: "2022-04-27T00:00:00",
      dateUpdated: "2024-08-03T06:33:42.762Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36329
Vulnerability from cvelistv5
Published
2023-05-10 19:23
Modified
2024-08-03 10:00
Summary
An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.
Impacted products
Vendor Product Version
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 9.4.0-191
SanDisk ibi Version: 0   < 9.4.0-191
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.370Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.<p>This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.</p>",
                  },
               ],
               value: "An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 4.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "CWE-400 Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-05-10T22:07:39.132Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<div><div><p>All devices will be automatically updated to reflect the latest firmware version.</p></div></div><div><div><div></div></div></div>",
                  },
               ],
               value: "All devices will be automatically updated to reflect the latest firmware version.\n\n\n\n\n\n\n\n\n\n\n\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Denial of Service over OTA mechanism in Western Digital My Cloud Home and ibi devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36329",
      datePublished: "2023-05-10T19:23:29.702Z",
      dateReserved: "2022-07-20T13:57:56.405Z",
      dateUpdated: "2024-08-03T10:00:04.370Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36327
Vulnerability from cvelistv5
Published
2023-05-18 17:54
Modified
2025-01-22 14:41
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited.  This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
Impacted products
Vendor Product Version
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 9.4.0-191
SanDisk ibi Version: 0   < 9.4.0-191
Western Digital My Cloud OS 5 Version: 0   < 5.26.202
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.219Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-36327",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-22T14:41:31.468419Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-22T14:41:39.710Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud OS 5",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "5.26.202",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative ",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited.&nbsp;<br><span style=\"background-color: var(--wht);\">This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.</span>",
                  },
               ],
               value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited. \nThis issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.8,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "HIGH",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-05-31T18:11:34.883Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
            },
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "\n\n\n\n\n\n\n\n\n\n\n<p>For My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.</p>\n\n<p>For My Cloud OS 5 devices, Western Digital recommends\nthat users promptly update their devices to the latest firmware by clicking on\nthe firmware update notification.</p>",
                  },
               ],
               value: "\n\n\n\n\n\n\n\n\n\nFor My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.\n\n\n\nFor My Cloud OS 5 devices, Western Digital recommends\nthat users promptly update their devices to the latest firmware by clicking on\nthe firmware update notification.\n\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Path traversal vulnerability leading to an arbitrary file write in Western Digital devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36327",
      datePublished: "2023-05-18T17:54:39.229Z",
      dateReserved: "2022-07-20T13:57:56.404Z",
      dateUpdated: "2025-01-22T14:41:39.710Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-23006
Vulnerability from cvelistv5
Published
2022-09-27 13:53
Modified
2024-08-03 03:28
Summary
A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.
References
Impacted products
Vendor Product Version
Western Digital My Cloud Home Version: 8.10.0-117   < 8.10.0-117
Western Digital My Cloud Home Duo Version: 8.10.0-117   < 8.10.0-117
SanDisk ibi Version: 8.10.0-117   < 8.10.0-117
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:28:42.880Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.10.0-117",
                     status: "affected",
                     version: "8.10.0-117",
                     versionType: "custom",
                  },
               ],
            },
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.10.0-117",
                     status: "affected",
                     version: "8.10.0-117",
                     versionType: "custom",
                  },
               ],
            },
            {
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "8.10.0-117",
                     status: "affected",
                     version: "8.10.0-117",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 1.8,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-121",
                     description: "CWE-121 Stack-based Buffer Overflow",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-09-27T13:53:34",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "Your device will be automatically updated to the latest firmware version.",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "psirt@wdc.com",
               ID: "CVE-2022-23006",
               STATE: "PUBLIC",
               TITLE: "Buffer Overflow Vulnerability in Western Digital My Cloud Home Products and SanDisk ibi",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "My Cloud Home",
                                 version: {
                                    version_data: [
                                       {
                                          platform: "Linux",
                                          version_affected: "<",
                                          version_name: "8.10.0-117",
                                          version_value: "8.10.0-117",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "My Cloud Home Duo",
                                 version: {
                                    version_data: [
                                       {
                                          platform: "Linux",
                                          version_affected: "<",
                                          version_name: "8.10.0-117",
                                          version_value: "8.10.0-117",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Western Digital",
                     },
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "ibi",
                                 version: {
                                    version_data: [
                                       {
                                          platform: "Linux",
                                          version_affected: "<",
                                          version_name: "8.10.0-117",
                                          version_value: "8.10.0-117",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "SanDisk",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 1.8,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-121 Stack-based Buffer Overflow",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
                     refsource: "MISC",
                     url: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
                  },
               ],
            },
            solution: [
               {
                  lang: "en",
                  value: "Your device will be automatically updated to the latest firmware version.",
               },
            ],
            source: {
               discovery: "EXTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-23006",
      datePublished: "2022-09-27T13:53:29",
      dateReserved: "2022-01-10T00:00:00",
      dateUpdated: "2024-08-03T03:28:42.880Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-22998
Vulnerability from cvelistv5
Published
2022-07-12 20:19
Modified
2024-08-03 03:28
Summary
Implemented protections on AWS credentials that were not properly protected.
Impacted products
Vendor Product Version
Western Digital My Cloud Home Version: My Cloud Home Firmware   < 8.5.1-102
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T03:28:42.801Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.5.1-102",
                     status: "affected",
                     version: "My Cloud Home Firmware",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Western Digital would like to thank Viettel Cyber Security for reporting this issue.",
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Implemented protections on AWS credentials that were not properly protected.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-522",
                     description: "CWE-522 Insufficiently Protected Credentials",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-07-12T20:19:34",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "My Cloud Home devices have been automatically updated to resolve this vulnerability",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Protecting AWS credentials stored in plaintext on My Cloud Home",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "psirt@wdc.com",
               ID: "CVE-2022-22998",
               STATE: "PUBLIC",
               TITLE: "Protecting AWS credentials stored in plaintext on My Cloud Home",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "My Cloud Home",
                                 version: {
                                    version_data: [
                                       {
                                          platform: "Linux",
                                          version_affected: "<",
                                          version_name: "My Cloud Home Firmware",
                                          version_value: "8.5.1-102",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "Western Digital",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "Western Digital would like to thank Viettel Cyber Security for reporting this issue.",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Implemented protections on AWS credentials that were not properly protected.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: {
               cvss: {
                  attackComplexity: "HIGH",
                  attackVector: "ADJACENT_NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-522 Insufficiently Protected Credentials",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
                     refsource: "MISC",
                     url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
                  },
               ],
            },
            solution: [
               {
                  lang: "en",
                  value: "My Cloud Home devices have been automatically updated to resolve this vulnerability",
               },
            ],
            source: {
               discovery: "EXTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-22998",
      datePublished: "2022-07-12T20:19:34",
      dateReserved: "2022-01-10T00:00:00",
      dateUpdated: "2024-08-03T03:28:42.801Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-29837
Vulnerability from cvelistv5
Published
2022-12-01 00:00
Modified
2024-08-03 06:33
Summary
A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.
Impacted products
Vendor Product Version
Western Digital My Cloud Home Version: My Cloud Home   < 8.12.0-178
Version: My Cloud Home Duo   < 8.12.0-178
SanDisk ibi Version: ibi   < 8.12.0-178
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T06:33:42.797Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: "8.12.0-178",
                     status: "affected",
                     version: "My Cloud Home ",
                     versionType: "custom",
                  },
                  {
                     lessThan: "8.12.0-178",
                     status: "affected",
                     version: "My Cloud Home Duo",
                     versionType: "custom",
                  },
               ],
            },
            {
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: "8.12.0-178",
                     status: "affected",
                     version: "ibi",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 4.7,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-12-01T00:00:00",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178",
            },
         ],
         solutions: [
            {
               lang: "en",
               value: "The user's My Cloud Home, My Cloud Home Duo and ibi devices will be automatically updated to reflect the latest firmware version.",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Path traversal Vulnerability in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Devices",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-29837",
      datePublished: "2022-12-01T00:00:00",
      dateReserved: "2022-04-27T00:00:00",
      dateUpdated: "2024-08-03T06:33:42.797Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2022-36330
Vulnerability from cvelistv5
Published
2023-05-09 23:16
Modified
2024-08-03 10:00
Summary
A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191. 
Impacted products
Vendor Product Version
Western Digital My Cloud Home and My Cloud Home Duo Version: 0   < 9.4.0-191
SanDisk ibi Version: 0   < 9.4.0-191
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:00:04.306Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "My Cloud Home and My Cloud Home Duo",
               vendor: "Western Digital",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               defaultStatus: "unaffected",
               platforms: [
                  "Linux",
               ],
               product: "ibi",
               vendor: "SanDisk",
               versions: [
                  {
                     lessThan: " 9.4.0-191",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution<span style=\"background-color: var(--wht);\">&nbsp;in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.</span></p><p>This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.&nbsp;<br></p><br>",
                  },
               ],
               value: "A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.\n\nThis issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191. \n\n\n\n",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 1.9,
                  baseSeverity: "LOW",
                  confidentialityImpact: "LOW",
                  integrityImpact: "NONE",
                  privilegesRequired: "HIGH",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-120",
                     description: "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-05-10T22:08:29.564Z",
            orgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
            shortName: "WDC PSIRT",
         },
         references: [
            {
               url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
            },
         ],
         solutions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "\n\n\n\n\n\n\n\n\n\n<p>For My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.</p>",
                  },
               ],
               value: "\n\n\n\n\n\n\n\n\nFor My Cloud Home, My Cloud Home Duo and SanDisk ibi\ndevices will be automatically updated to reflect the latest\nfirmware version.\n\n",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Buffer Overflow Vulnerability in Western Digital My Cloud Home and ibi devices",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
      assignerShortName: "WDC PSIRT",
      cveId: "CVE-2022-36330",
      datePublished: "2023-05-09T23:16:03.743Z",
      dateReserved: "2022-07-20T13:57:56.405Z",
      dateUpdated: "2024-08-03T10:00:04.306Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

Vulnerability from fkie_nvd
Published
2023-05-18 18:15
Modified
2024-11-21 07:12
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited.  This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_os_5:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "056AA1A3-F012-40A9-A351-628C905B3FEA",
                     versionEndExcluding: "5.26.202",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A9EE86B-05EE-4F2E-A912-624DDCF9C41B",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D471C39A-0854-4755-9DF8-5BAABAB09619",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "13A2FB91-CCCF-42B1-BCE1-F4962D353593",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited. \nThis issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.",
      },
   ],
   id: "CVE-2022-36327",
   lastModified: "2024-11-21T07:12:48.123",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.8,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "HIGH",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.3,
            impactScore: 4,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-05-18T18:15:09.883",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-05-10 20:15
Modified
2024-11-21 07:12
Summary
An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D471C39A-0854-4755-9DF8-5BAABAB09619",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "13A2FB91-CCCF-42B1-BCE1-F4962D353593",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191.\n\n",
      },
   ],
   id: "CVE-2022-36329",
   lastModified: "2024-11-21T07:12:48.417",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 4.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 0.8,
            impactScore: 3.6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-05-10T20:15:09.530",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-400",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-03-25 23:15
Modified
2024-11-21 06:47
Summary
The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.
References
psirt@wdc.comhttps://lists.debian.org/debian-lts-announce/2024/01/msg00000.html
psirt@wdc.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/Mailing List
psirt@wdc.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/Mailing List
psirt@wdc.comhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/Mailing List
psirt@wdc.comhttps://security.gentoo.org/glsa/202311-02Issue Tracking, Third Party Advisory
psirt@wdc.comhttps://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilitiesVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202311-02Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilitiesVendor Advisory



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "8383E9FC-13FD-4A17-8B66-EEB8B6149BDC",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB009E7E-7622-4ECC-92A1-0A243231FD07",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6B8798DF-7A77-41A0-85A2-0A5A4B6989A9",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F0BF3DA8-8B6E-4653-80EF-BC720EF07C93",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_mirror_gen_2_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "52993B07-DA31-4B5E-BF48-58365B17B4F4",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5695E842-1561-4A4F-901F-6EC07F558989",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "00D91194-446C-4589-BBD2-3DDB5168F428",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "25D4325A-499E-4EE9-BF9A-F9023F40C5E1",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "38C7A235-CB9B-4B57-9EBA-6512A20A8AB7",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "716C7564-7342-4D77-9936-0D49A9B76358",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A9EE86B-05EE-4F2E-A912-624DDCF9C41B",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:wd_cloud_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "400B0EA3-FD94-414B-882A-7D3DEDF03305",
                     versionEndExcluding: "5.19.117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D002E37F-1CFF-47CC-BAB6-67725A70D20A",
                     versionEndExcluding: "7.16-220",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9B3B3806-09AC-4151-9138-19276A22C961",
                     versionEndExcluding: "3.1.18",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
                     matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
                     matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
                     matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.",
      },
      {
         lang: "es",
         value: "La combinación de primitivas que ofrecen SMB y AFP en su configuración por defecto permite la escritura arbitraria de archivos. Al explotar esta combinación de primitivas, un atacante puede ejecutar código arbitrario",
      },
   ],
   id: "CVE-2022-22995",
   lastModified: "2024-11-21T06:47:46.037",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "HIGH",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 7.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "LOW",
               baseScore: 10,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-03-25T23:15:08.410",
   references: [
      {
         source: "psirt@wdc.com",
         url: "https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://security.gentoo.org/glsa/202311-02",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Issue Tracking",
            "Third Party Advisory",
         ],
         url: "https://security.gentoo.org/glsa/202311-02",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-59",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-59",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-11-09 21:15
Modified
2024-11-21 06:59
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "8F17551C-A43E-459B-B6E0-F24ACD31EA65",
                     versionEndExcluding: "8.11.0-113",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "308ED732-766A-4342-96C9-59A12A64DBCA",
                     versionEndExcluding: "8.11.0-113",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "172BFB9E-49F1-4E76-944E-914855932EF5",
                     versionEndExcluding: "8.11.0-113",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux.",
      },
      {
         lang: "es",
         value: "Se descubrió una vulnerabilidad de limitación inadecuada de un nombre de ruta a un  Restricted Directory (\"Path Traversal\") a través de una API HTTP en Western Digital My Cloud Home; My Cloud Home Duo; y dispositivos SanDisk ibi que podrían permitir a un atacante abusar de ciertos parámetros para señalar ubicaciones aleatorias en el sistema de archivos. Esto también podría permitir al atacante iniciar la instalación de paquetes personalizados en estas ubicaciones. Esto sólo puede explotarse una vez que el atacante se haya autenticado en el dispositivo. Este problema afecta a: versiones de Western Digital My Cloud Home y My Cloud Home Duo anteriores a 8.11.0-113 en Linux; Versiones de SanDisk ibi anteriores a 8.11.0-113 en Linux.",
      },
   ],
   id: "CVE-2022-29836",
   lastModified: "2024-11-21T06:59:47.080",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 1.9,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 0.5,
            impactScore: 1.4,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "LOW",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-11-09T21:15:14.507",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22016-my-cloud-home-ibi-firmware-version-8-11-0-113",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22016-my-cloud-home-ibi-firmware-version-8-11-0-113",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-05-10 00:15
Modified
2024-11-21 07:12
Summary
A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191. 



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "13A2FB91-CCCF-42B1-BCE1-F4962D353593",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D471C39A-0854-4755-9DF8-5BAABAB09619",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.\n\nThis issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191. \n\n\n\n",
      },
   ],
   id: "CVE-2022-36330",
   lastModified: "2024-11-21T07:12:48.563",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 1.9,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 0.5,
            impactScore: 1.4,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.1,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.2,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-05-10T00:15:09.467",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-120",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-120",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-05-18 18:15
Modified
2024-11-21 07:12
Summary
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_os_5:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "056AA1A3-F012-40A9-A351-628C905B3FEA",
                     versionEndExcluding: "5.26.202",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A9EE86B-05EE-4F2E-A912-624DDCF9C41B",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D471C39A-0854-4755-9DF8-5BAABAB09619",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "13A2FB91-CCCF-42B1-BCE1-F4962D353593",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.\n\n",
      },
   ],
   id: "CVE-2022-36326",
   lastModified: "2024-11-21T07:12:47.970",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 4.4,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 0.7,
            impactScore: 3.6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 4.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-05-18T18:15:09.820",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-400",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-400",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-07-12 21:15
Modified
2024-11-21 06:47
Summary
Implemented protections on AWS credentials that were not properly protected.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A841DCC2-1613-4AEA-9BA4-01C8CDFFC139",
                     versionEndExcluding: "8.5.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6F6393CE-61EF-48D1-AD0B-2462D0E08406",
                     versionEndExcluding: "8.5.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Implemented protections on AWS credentials that were not properly protected.",
      },
      {
         lang: "es",
         value: "Se han implementado protecciones en las credenciales de AWS que no estaban debidamente protegidas",
      },
   ],
   id: "CVE-2022-22998",
   lastModified: "2024-11-21T06:47:46.453",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "ADJACENT_NETWORK",
               availabilityImpact: "NONE",
               baseScore: 8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.6,
            impactScore: 5.8,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-07-12T21:15:09.447",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-522",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-522",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-12-01 17:15
Modified
2024-11-21 06:59
Summary
A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "931C7D29-B890-4F9E-BC34-8B06F760F0C0",
                     versionEndExcluding: "8.12.0-178",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "02E03150-FBB8-409C-AC8C-7F1015394736",
                     versionEndExcluding: "8.12.0-178",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "DFF66109-234D-4AC8-98A0-999466282B6B",
                     versionEndExcluding: "8.12.0-178",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.",
      },
      {
         lang: "es",
         value: "Se solucionó una vulnerabilidad de path traversal en Western Digital My Cloud Home, My Cloud Home Duo y SanDisk ibi que podría permitir a un atacante iniciar la instalación de paquetes ZIP personalizados y sobrescribir archivos del sistema. Potencialmente, esto podría conducir a la ejecución de un código.",
      },
   ],
   id: "CVE-2022-29837",
   lastModified: "2024-11-21T06:59:47.207",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 4.7,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1,
            impactScore: 3.6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-12-01T17:15:11.290",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-02-05 22:15
Modified
2024-11-21 07:45
Summary
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. 



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "65956C3F-A729-4A75-AA37-74B5E89A079D",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CD7A6F3E-6031-4123-AEB3-498A37164AFC",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "3B7F303F-BEA6-4546-B7F3-85937F055C70",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D626D580-E58A-4B6C-82C7-B9E4EFDD45E6",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_mirror_g2_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CA969327-0057-483A-BDEA-48044C2AAFDA",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C32A7FB-2EAC-431F-A2AF-033BC56B7548",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4289EA01-0B97-4628-8658-56C35D328476",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14973F26-4E47-4531-96ED-1F4DE2B90782",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_glacier_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AC4318FA-0121-4730-9199-3E6E18872B9C",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_glacier:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "4725EF2C-5954-45DA-95D1-0A2F8F3E7714",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:wd_cloud_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AC132C6A-CA10-431F-AEDE-64979DA8D960",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D90D9B21-6C1A-4FC3-B292-B72BB521E1B6",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "233200A4-0DDF-4FEE-967B-DDB638D0DBB0",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4523B737-F58A-4A73-AE74-EAF313AEBDFC",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. \n",
      },
      {
         lang: "es",
         value: "Vulnerabilidad de server-side request forgery (SSRF) que podría permitir que un servidor no autorizado en la red local modifique su URL utilizando otra dirección DNS para apuntar al adaptador de loopback. Esto podría permitir que la URL aproveche otras vulnerabilidades en el servidor local. Esto se solucionó corrigiendo las direcciones DNS que hacen referencia al loopback. Este problema afecta a los dispositivos My Cloud OS 5 anteriores a 5.27.161, My Cloud Home, My Cloud Home Duo y SanDisk ibi anteriores a 9.5.1-104.",
      },
   ],
   id: "CVE-2023-22817",
   lastModified: "2024-11-21T07:45:28.620",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 5.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 3.6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 5.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-02-05T22:15:54.820",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-918",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-918",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2024-02-05 22:15
Modified
2024-11-21 07:45
Summary
An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CD7A6F3E-6031-4123-AEB3-498A37164AFC",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "3B7F303F-BEA6-4546-B7F3-85937F055C70",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D626D580-E58A-4B6C-82C7-B9E4EFDD45E6",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_mirror_g2_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CA969327-0057-483A-BDEA-48044C2AAFDA",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "5C32A7FB-2EAC-431F-A2AF-033BC56B7548",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4289EA01-0B97-4628-8658-56C35D328476",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "14973F26-4E47-4531-96ED-1F4DE2B90782",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_glacier_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AC4318FA-0121-4730-9199-3E6E18872B9C",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_glacier:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "4725EF2C-5954-45DA-95D1-0A2F8F3E7714",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:wd_cloud_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AC132C6A-CA10-431F-AEDE-64979DA8D960",
                     versionEndExcluding: "5.27.161",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D90D9B21-6C1A-4FC3-B292-B72BB521E1B6",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "233200A4-0DDF-4FEE-967B-DDB638D0DBB0",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4523B737-F58A-4A73-AE74-EAF313AEBDFC",
                     versionEndExcluding: "9.5.1-104",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability. This issue affects My Cloud Home and My Cloud Home Duo: before 9.5.1-104; ibi: before 9.5.1-104; My Cloud OS 5: before 5.27.161.",
      },
      {
         lang: "es",
         value: "Se descubrió un problema de vulnerabilidad de consumo de recursos no controlado que podría surgir al enviar solicitudes manipuladas a un servicio para consumir una gran cantidad de memoria, lo que eventualmente resultaría en que el servicio se detuviera y reiniciara en los dispositivos Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi y Western Digital My Cloud OS 5. Este problema requiere que el atacante ya tenga privilegios de root para explotar esta vulnerabilidad. Este problema afecta a My Cloud Home y My Cloud Home Duo: antes de la versión 9.5.1-104; ibi: antes de la versión 9.5.1-104; My Cloud OS 5: antes de la versión 5.27.161.",
      },
   ],
   id: "CVE-2023-22819",
   lastModified: "2024-11-21T07:45:28.917",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 4.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 3.6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 4.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-02-05T22:15:55.023",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-770",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-400",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-09-27 23:15
Modified
2024-11-21 06:47
Summary
A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A43E3D15-2F9F-4924-8C36-B1041E6CFA62",
                     versionEndExcluding: "8.10.0-117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "BD203970-1264-4BA0-9AC7-43291899E41F",
                     versionEndExcluding: "8.10.0-117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "7DCC0C4C-DB17-4DA5-A572-6BBD303DDE77",
                     versionEndExcluding: "8.10.0-117",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.",
      },
      {
         lang: "es",
         value: "Se ha encontrado una vulnerabilidad de desbordamiento de búfer en la región stack de la memoria en Western Digital My Cloud Home, My Cloud Home Duo y SanDisk ibi que podría permitir a un atacante que acceda al sistema localmente leer información del archivo /etc/version. Esta vulnerabilidad sólo puede ser explotada encadenándola con otro problema. Si un atacante es capaz de conducir un ataque de ejecución de código remota, puede conseguir acceso al archivo vulnerable, debido a una presencia de funciones no seguras en el código. Es requerida una interacción del usuario para la explotación. La explotación de la vulnerabilidad podría resultar en una exposición de información, la posibilidad de modificar archivos, a errores de acceso a la memoria o a bloqueos del sistema",
      },
   ],
   id: "CVE-2022-23006",
   lastModified: "2024-11-21T06:47:47.487",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 1.8,
               baseSeverity: "LOW",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 0.3,
            impactScore: 1.4,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 6.7,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 0.8,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-09-27T23:15:12.720",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Third Party Advisory",
            "US Government Resource",
         ],
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
      },
      {
         source: "nvd@nist.gov",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22015-western-digital-my-cloud-home-and-sandisk-ibi-firmware-version-8-10-0-117",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
            "US Government Resource",
         ],
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-23006",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-121",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-787",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-06-12 18:15
Modified
2024-11-21 07:12
Summary
Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data. This issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B66F84E3-4B1F-4359-9CB9-C4DA88012CBC",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "41816E5B-6A6F-47AF-8EB3-065CEAE2F905",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "4B95A4FC-8694-42CA-8F12-0EB42A596B2C",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6CF78188-7B7B-4672-8553-34616F21E740",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_mirror_g2_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6BDE1153-A1A1-495C-BADA-409721BBC3F3",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9AE31BDF-EF2A-4A9F-AFEA-EDA4125598D4",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "C9AC1B82-BDCC-42F6-AFCF-BDC036EDBA23",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "71600FC4-BF21-4BA4-BC67-DC9EA43920DC",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "1E0D7EFC-04BD-467F-89A8-50A5E6541F75",
                     versionEndExcluding: "8.13.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "19584F79-F6AD-4348-A420-D6D7634C678B",
                     versionEndExcluding: "8.13.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "470DB475-1C91-43F7-A0E1-0B38FEC6AAA3",
                     versionEndExcluding: "8.13.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "AB0CF5DA-8CEC-4E0C-864F-D18B79F92E0F",
                     versionEndExcluding: "5.25.132",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A9EE86B-05EE-4F2E-A912-624DDCF9C41B",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.\nThis issue affects My Cloud OS 5 devices: before 5.25.132; My Cloud Home and My Cloud Home Duo: before 8.13.1-102; SanDisk ibi: before 8.13.1-102.\n\n",
      },
   ],
   id: "CVE-2022-36331",
   lastModified: "2024-11-21T07:12:48.703",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 10,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 6,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-06-12T18:15:09.747",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Broken Link",
         ],
         url: "https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update",
      },
      {
         source: "nvd@nist.gov",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Broken Link",
         ],
         url: "https://https://www.westerndigital.com/support/product-security/wdc-22020-my-cloud-os-5-my-cloud-home-ibi-firmware-update",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-290",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-290",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2022-07-12 21:15
Modified
2024-11-21 06:47
Summary
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A841DCC2-1613-4AEA-9BA4-01C8CDFFC139",
                     versionEndExcluding: "8.5.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "6F6393CE-61EF-48D1-AD0B-2462D0E08406",
                     versionEndExcluding: "8.5.1-102",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.",
      },
      {
         lang: "es",
         value: "Se ha abordado una vulnerabilidad de ejecución de código remota mediante la resolución de una vulnerabilidad de inyección de comandos y el cierre de un cubo de AWS S3 que potencialmente permitía a un atacante ejecutar código sin firmar en los dispositivos de My Cloud Home",
      },
   ],
   id: "CVE-2022-22997",
   lastModified: "2024-11-21T06:47:46.327",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "HIGH",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 7.5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 6.4,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "ADJACENT_NETWORK",
               availabilityImpact: "NONE",
               baseScore: 6.8,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.6,
            impactScore: 5.2,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-07-12T21:15:09.393",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-22009-my-cloud-home-firmware-version-8-7-0-107",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-78",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-78",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2023-05-18 18:15
Modified
2024-11-21 07:12
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_os_5:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "056AA1A3-F012-40A9-A351-628C905B3FEA",
                     versionEndExcluding: "5.26.202",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "3A9EE86B-05EE-4F2E-A912-624DDCF9C41B",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "9E783EBC-7608-4527-B1AD-9B4E7A7A108C",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "F3034F4A-239C-4E38-9BD6-217361A7C519",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "5A581EBA-A1F2-4ABC-8183-29973A46FA43",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "ABBBDC1E-2320-4767-B669-1BB2FFB1E1C4",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "B78030F0-6655-4604-9D16-2FA1F3FD52FF",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "6DE090BC-C847-4DF7-9C5F-52A300845558",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "BF58260B-2131-402C-A9DA-67B188136DE1",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "CB0C2FD9-4792-4DA2-9698-E53109A499EC",
                     vulnerable: false,
                  },
                  {
                     criteria: "cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "8FDE0337-4329-4CE3-9B0B-61BE8361E910",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D471C39A-0854-4755-9DF8-5BAABAB09619",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "2BE2FBAB-5BA0-4F09-A76E-4A6869668810",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "13A2FB91-CCCF-42B1-BCE1-F4962D353593",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "296ADA43-16BA-4444-B472-DB945FB917B2",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0A0368E6-53C8-4BD2-B0E8-44464B245832",
                     versionEndExcluding: "9.4.0-191",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*",
                     matchCriteriaId: "124BBC79-65A2-465C-B784-D21E57E96F63",
                     vulnerable: false,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
         operator: "AND",
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.\n\n",
      },
   ],
   id: "CVE-2022-36328",
   lastModified: "2024-11-21T07:12:48.270",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 5.8,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.3,
            impactScore: 4,
            source: "psirt@wdc.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.9,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "HIGH",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.2,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-05-18T18:15:09.947",
   references: [
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "psirt@wdc.com",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Release Notes",
            "Vendor Advisory",
         ],
         url: "https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202",
      },
   ],
   sourceIdentifier: "psirt@wdc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "psirt@wdc.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}