CVE-2024-22169 HIGH

CVE-2024-22169: Misconfiguration in node.js causing a code execution in WD Discovery

Vendor Western Digital
Product WD Discovery
Weakness CWE-94 · Code injection
Published August 2, 2024
Last update August 5, 2024

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device.

Key dates

02Disclosure timeline

August 2, 2024 CVE published
August 5, 2024 Record updated