CVE-2022-29836 — Path Traversal in IBI

CWE-22 — Path Traversal2 documents2 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 61.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sandisk IBI Western Digital MY Cloud Home Westerndigital MY Cloud Home DUO Firmware +2 more

Timeline

PublishedNov 9

Latest updateNov 10

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This is…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5western_digital/my_cloud_homeMy Cloud Home — 8.11.0-113+1

▶NVDwesterndigital/my_cloud_home_firmware< 8.11.0-113

▶NVDwesterndigital/my_cloud_home_duo_firmware< 8.11.0-113

▶NVDwesterndigital/sandisk_ibi_firmware< 8.11.0-113

▶CVEListV5sandisk/ibiibi — 8.11.0-113

🔴Vulnerability Details

GHSA

GHSA-7c3q-7247-h3cx: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Clou↗2022-11-10

▶