CVE-2022-36328

CVSS V2 None CVSS V3 None
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
Overview
  • CVE ID
  • CVE-2022-36328
  • Assigner
  • psirt@wdc.com
  • Vulnerability Status
  • Received
  • Published Version
  • 2023-05-18T18:15:09
  • Last Modified Date
  • 2023-05-18T18:15:09
Weakness Enumerations
CWE URL
CWE-22 http://cwe.mitre.org/data/definitions/22.html
References
Reference URL Reference Tags
https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191
https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-36328
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36328
History
Created Old Value New Value Data Type Notes
2023-05-18 19:00:40 Added to TrackCVE
2023-05-18 19:00:45 Weakness Enumeration new