CVE-2022-29837 (GCVE-0-2022-29837)
Vulnerability from cvelistv5 – Published: 2022-12-01 00:00 – Updated: 2025-04-24 20:12
VLAI?
Summary
A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.
Severity ?
4.7 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Western Digital | My Cloud Home |
Affected:
My Cloud Home , < 8.12.0-178
(custom)
Affected: My Cloud Home Duo , < 8.12.0-178 (custom) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T20:12:21.544434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T20:12:31.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "My Cloud Home",
"vendor": "Western Digital",
"versions": [
{
"lessThan": "8.12.0-178",
"status": "affected",
"version": "My Cloud Home ",
"versionType": "custom"
},
{
"lessThan": "8.12.0-178",
"status": "affected",
"version": "My Cloud Home Duo",
"versionType": "custom"
}
]
},
{
"platforms": [
"Linux"
],
"product": "ibi",
"vendor": "SanDisk",
"versions": [
{
"lessThan": "8.12.0-178",
"status": "affected",
"version": "ibi",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-01T00:00:00.000Z",
"orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"shortName": "WDC PSIRT"
},
"references": [
{
"url": "https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178"
}
],
"solutions": [
{
"lang": "en",
"value": "The user\u0027s My Cloud Home, My Cloud Home Duo and ibi devices will be automatically updated to reflect the latest firmware version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Path traversal Vulnerability in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Devices",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"assignerShortName": "WDC PSIRT",
"cveId": "CVE-2022-29837",
"datePublished": "2022-12-01T00:00:00.000Z",
"dateReserved": "2022-04-27T00:00:00.000Z",
"dateUpdated": "2025-04-24T20:12:31.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.12.0-178\", \"matchCriteriaId\": \"931C7D29-B890-4F9E-BC34-8B06F760F0C0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BE2FBAB-5BA0-4F09-A76E-4A6869668810\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.12.0-178\", \"matchCriteriaId\": \"02E03150-FBB8-409C-AC8C-7F1015394736\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"124BBC79-65A2-465C-B784-D21E57E96F63\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.12.0-178\", \"matchCriteriaId\": \"DFF66109-234D-4AC8-98A0-999466282B6B\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"296ADA43-16BA-4444-B472-DB945FB917B2\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.\"}, {\"lang\": \"es\", \"value\": \"Se solucion\\u00f3 una vulnerabilidad de path traversal en Western Digital My Cloud Home, My Cloud Home Duo y SanDisk ibi que podr\\u00eda permitir a un atacante iniciar la instalaci\\u00f3n de paquetes ZIP personalizados y sobrescribir archivos del sistema. Potencialmente, esto podr\\u00eda conducir a la ejecuci\\u00f3n de un c\\u00f3digo.\"}]",
"id": "CVE-2022-29837",
"lastModified": "2024-11-21T06:59:47.207",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@wdc.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
"published": "2022-12-01T17:15:11.290",
"references": "[{\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\", \"source\": \"psirt@wdc.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@wdc.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@wdc.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-29837\",\"sourceIdentifier\":\"psirt@wdc.com\",\"published\":\"2022-12-01T17:15:11.290\",\"lastModified\":\"2024-11-21T06:59:47.207\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.\"},{\"lang\":\"es\",\"value\":\"Se solucion\u00f3 una vulnerabilidad de path traversal en Western Digital My Cloud Home, My Cloud Home Duo y SanDisk ibi que podr\u00eda permitir a un atacante iniciar la instalaci\u00f3n de paquetes ZIP personalizados y sobrescribir archivos del sistema. Potencialmente, esto podr\u00eda conducir a la ejecuci\u00f3n de un c\u00f3digo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@wdc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.12.0-178\",\"matchCriteriaId\":\"931C7D29-B890-4F9E-BC34-8B06F760F0C0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BE2FBAB-5BA0-4F09-A76E-4A6869668810\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.12.0-178\",\"matchCriteriaId\":\"02E03150-FBB8-409C-AC8C-7F1015394736\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"124BBC79-65A2-465C-B784-D21E57E96F63\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.12.0-178\",\"matchCriteriaId\":\"DFF66109-234D-4AC8-98A0-999466282B6B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"296ADA43-16BA-4444-B472-DB945FB917B2\"}]}]}],\"references\":[{\"url\":\"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\",\"source\":\"psirt@wdc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:33:42.797Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-29837\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T20:12:21.544434Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T20:12:27.720Z\"}}], \"cna\": {\"title\": \"Path traversal Vulnerability in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Devices\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Western Digital\", \"product\": \"My Cloud Home\", \"versions\": [{\"status\": \"affected\", \"version\": \"My Cloud Home \", \"lessThan\": \"8.12.0-178\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"My Cloud Home Duo\", \"lessThan\": \"8.12.0-178\", \"versionType\": \"custom\"}], \"platforms\": [\"Linux\"]}, {\"vendor\": \"SanDisk\", \"product\": \"ibi\", \"versions\": [{\"status\": \"affected\", \"version\": \"ibi\", \"lessThan\": \"8.12.0-178\", \"versionType\": \"custom\"}], \"platforms\": [\"Linux\"]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The user\u0027s My Cloud Home, My Cloud Home Duo and ibi devices will be automatically updated to reflect the latest firmware version.\"}], \"references\": [{\"url\": \"https://www.westerndigital.com/support/product-security/wdc-22018-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-8-12-0-178\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"cb3b742e-5145-4748-b44b-5ffd45bf3b6a\", \"shortName\": \"WDC PSIRT\", \"dateUpdated\": \"2022-12-01T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-29837\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T20:12:31.109Z\", \"dateReserved\": \"2022-04-27T00:00:00.000Z\", \"assignerOrgId\": \"cb3b742e-5145-4748-b44b-5ffd45bf3b6a\", \"datePublished\": \"2022-12-01T00:00:00.000Z\", \"assignerShortName\": \"WDC PSIRT\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…