CVE-2022-22995 — Link Following in Digital MY Cloud

CWE-59 — Link Following5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 62.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Western Digital MY Cloud Western Digital MY Cloud Home Netatalk +13 more

Timeline

PublishedMar 25

Latest updateMay 28

Description

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages16 packages

▶debiandebian/netatalk< netatalk 3.1.12~ds-8+deb11u2 (bullseye)

▶NVDnetatalk/netatalk< 3.1.18

▶CVEListV5western_digital/my_cloudMy Cloud OS 5 — 5.19.117

▶CVEListV5western_digital/my_cloud_homeMy Cloud Home — 7.16-220

▶NVDwesterndigital/my_cloud_firmware< 5.19.117

Also affects: Fedora 37, 38, 39

🔴Vulnerability Details

GHSA

GHSA-wc8x-f5rv-3653: The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files↗2022-03-27

▶

OSV

CVE-2022-22995: The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files↗2022-03-25

▶

📋Vendor Advisories

Ubuntu

Netatalk vulnerabilities↗2024-05-28

▶

Debian

CVE-2022-22995: netatalk - The combination of primitives offered by SMB and AFP in their default configurat...↗2022

▶