CVE-2022-36327 MEDIUM

CVE-2022-36327: Path traversal vulnerability leading to an arbitrary file write in Western Digital devices

Vendor Western Digital

Product My Cloud Home and My Cloud Home Duo

Weakness CWE-22 · Path traversal

Published May 18, 2023

Last update January 22, 2025

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited. This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Key dates

02Disclosure timeline

May 18, 2023 CVE published

January 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-36327 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/22.html

Related vulnerabilities

Identifiers

CVE CVE-2022-36327

CWE CWE-22

CVSS 5.8 / MEDIUM

Affected versions

Vendor Western Digital

Product My Cloud Home and My Cloud Home Duo

Affected < 9.4.0-191

Vendor Sandisk

Product ibi

Affected < 9.4.0-191

Vendor Western Digital

Product My Cloud OS 5

Affected < 5.26.202

CVE-2022-36327: Path traversal vulnerability leading to an arbitrary file write in Western Digital devices

01Description

02Disclosure timeline

03References

04Related CVE