Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
References
| Link | Resource |
|---|---|
| https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191 | Release Notes Vendor Advisory |
| https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202 | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
Configuration 2 (hide)
| AND |
|
Configuration 3 (hide)
| AND |
|
Configuration 4 (hide)
| AND |
|
History
27 May 2023, 03:37
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Westerndigital my Cloud Pr4100
Westerndigital my Cloud Ex4100 Westerndigital my Cloud Home Duo Westerndigital my Cloud Westerndigital my Cloud Home Duo Firmware Westerndigital my Cloud Mirror G2 Westerndigital my Cloud Os 5 Westerndigital Westerndigital my Cloud Pr2100 Westerndigital wd Cloud Westerndigital sandisk Ibi Westerndigital my Cloud Ex2100 Westerndigital sandisk Ibi Firmware Westerndigital my Cloud Home Westerndigital my Cloud Dl2100 Westerndigital my Cloud Home Firmware Westerndigital my Cloud Ex2 Ultra Westerndigital my Cloud Dl4100 |
|
| References | (MISC) https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202 - Release Notes, Vendor Advisory | |
| References | (MISC) https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191 - Release Notes, Vendor Advisory | |
| CPE | cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_os_5:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:* cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:* cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:* |
|
| CWE | CWE-22 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.9 |
18 May 2023, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-05-18 18:15
Updated : 2023-12-10 15:01
NVD link : CVE-2022-36328
Mitre link : CVE-2022-36328
CVE.ORG link : CVE-2022-36328
JSON object : View
Products Affected
westerndigital
- my_cloud_dl2100
- my_cloud_pr4100
- my_cloud_home_duo
- my_cloud_ex4100
- sandisk_ibi_firmware
- my_cloud_mirror_g2
- my_cloud_ex2100
- my_cloud_ex2_ultra
- my_cloud
- my_cloud_os_5
- my_cloud_dl4100
- my_cloud_home_firmware
- my_cloud_home
- wd_cloud
- my_cloud_home_duo_firmware
- my_cloud_pr2100
- sandisk_ibi
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')