Vulnerability Details : CVE-2022-36327
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited.
This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.
Vulnerability category: Directory traversalExecute code
Products affected by CVE-2022-36327
- cpe:2.3:o:westerndigital:my_cloud_os_5:*:*:*:*:*:*:*:*
- cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36327
0.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36327
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
5.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N |
1.3
|
4.0
|
Western Digital |
CWE ids for CVE-2022-36327
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- psirt@wdc.com (Secondary)
References for CVE-2022-36327
-
https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191
WDC-23003 Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191 | Western DigitalRelease Notes;Vendor Advisory
-
https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202
WDC-23006 My Cloud Firmware Version 5.26.202 | Western DigitalRelease Notes;Vendor Advisory
Jump to