CVE-2022-23006

27.09.2022, 23:15

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	1.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
WDC PSIRT	CNA	1.8 LOW	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
westerndigital	my_cloud_home_firmware	𝑥 < 8.10.0-117
westerndigital	my_cloud_home_duo_firmware	𝑥 < 8.10.0-117
westerndigital	sandisk_ibi_firmware	𝑥 < 8.10.0-117

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://nvd.nist.gov/vuln/detail/CVE-2022-23006

https://www.westerndigital.com/support/product-security/wdc-22015-western-digital-my-cloud-home-and-sandisk-ibi-firmware-version-8-10-0-117

https://nvd.nist.gov/vuln/detail/CVE-2022-23006