CVE-2022-36328 MEDIUM

CVE-2022-36328: Path Traversal Vulnerability leading to an arbitrary file read in Western Digital devices

Vendor Western Digital

Product My Cloud Home and My Cloud Home Duo

Weakness CWE-22 · Path traversal

Published May 18, 2023

Last update January 22, 2025

View on NVD All CVEs

CVSS base score

5.8/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Key dates

02Disclosure timeline

May 18, 2023 CVE published

January 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-36328 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/22.html

Related vulnerabilities

Identifiers

CVE CVE-2022-36328

CWE CWE-22

CVSS 5.8 / MEDIUM

Affected versions

Vendor Western Digital

Product My Cloud Home and My Cloud Home Duo

Affected < 9.4.0-191

Vendor Sandisk

Product ibi

Affected < 9.4.0-191

Vendor Western Digital

Product My Cloud OS 5

Affected < 5.26.202

CVE-2022-36328: Path Traversal Vulnerability leading to an arbitrary file read in Western Digital devices

01Description

02Disclosure timeline

03References

04Related CVE