Sign-up

ID

VAR-202209-1975


CVE

CVE-2022-23006


TITLE

plural  Western Digital  Out-of-bounds write vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2022-018157

DESCRIPTION

A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes. (DoS) It may be in a state. Western Digital My Cloud, etc. are all products of Western Digital (Western Digital). Western Digital My Cloud is a personal cloud storage device. Western Digital My Cloud Home is an easy-to-use personal cloud storage device. SanDisk ibi and so on are all products of SanDisk Corporation of the United States. SanDisk ibi is an intelligent photo organizer and media storage hard drive. There is a buffer overflow vulnerability in Western Digital products. Attackers can use this vulnerability to access the system locally and read the /etc/version file

Trust: 2.25

sources: NVD: CVE-2022-23006 // JVNDB: JVNDB-2022-018157 // CNVD: CNVD-2022-88804 // VULMON: CVE-2022-23006

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-88804

AFFECTED PRODUCTS

vendor:westerndigitalmodel:my cloud homescope:ltversion:8.10.0-117

Trust: 1.0

vendor:westerndigitalmodel:sandisk ibiscope:ltversion:8.10.0-117

Trust: 1.0

vendor:westerndigitalmodel:my cloud home duoscope:ltversion:8.10.0-117

Trust: 1.0

vendor:western digitalmodel:my cloud home duoscope: - version: -

Trust: 0.8

vendor:western digitalmodel:sandisk ibiscope: - version: -

Trust: 0.8

vendor:western digitalmodel:my cloud homescope: - version: -

Trust: 0.8

vendor:westernmodel:digital my cloud homescope:ltversion:8.10.0-117

Trust: 0.6

vendor:westernmodel:digital my cloud home duoscope:ltversion:8.10.0-117

Trust: 0.6

vendor:westernmodel:digital sandisk ibiscope:ltversion:8.10.0-117

Trust: 0.6

sources: CNVD: CNVD-2022-88804 // JVNDB: JVNDB-2022-018157 // NVD: CVE-2022-23006

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23006
value: MEDIUM

Trust: 1.0

psirt@wdc.com: CVE-2022-23006
value: LOW

Trust: 1.0

NVD: CVE-2022-23006
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2022-88804
value: LOW

Trust: 0.6

CNNVD: CNNVD-202209-2808
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2022-88804
severity: LOW
baseScore: 3.7
vectorString: AV:L/AC:H/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-23006
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@wdc.com: CVE-2022-23006
baseSeverity: LOW
baseScore: 1.8
vectorString: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 0.3
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2022-23006
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-88804 // JVNDB: JVNDB-2022-018157 // CNNVD: CNNVD-202209-2808 // NVD: CVE-2022-23006 // NVD: CVE-2022-23006

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-018157 // NVD: CVE-2022-23006

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202209-2808

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202209-2808

EXTERNAL IDS

db:NVDid:CVE-2022-23006

Trust: 3.9

db:JVNDBid:JVNDB-2022-018157

Trust: 0.8

db:CNVDid:CNVD-2022-88804

Trust: 0.6

db:CNNVDid:CNNVD-202209-2808

Trust: 0.6

db:VULMONid:CVE-2022-23006

Trust: 0.1

sources: CNVD: CNVD-2022-88804 // VULMON: CVE-2022-23006 // JVNDB: JVNDB-2022-018157 // CNNVD: CNNVD-202209-2808 // NVD: CVE-2022-23006

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2022-23006

Trust: 3.9

url:https://www.westerndigital.com/support/product-security/wdc-22015-western-digital-my-cloud-home-and-sandisk-ibi-firmware-version-8-10-0-117

Trust: 2.4

url:https://cxsecurity.com/cveshow/cve-2022-23006/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2022-88804 // VULMON: CVE-2022-23006 // JVNDB: JVNDB-2022-018157 // CNNVD: CNNVD-202209-2808 // NVD: CVE-2022-23006

SOURCES

db:CNVDid:CNVD-2022-88804
db:VULMONid:CVE-2022-23006
db:JVNDBid:JVNDB-2022-018157
db:CNNVDid:CNNVD-202209-2808
db:NVDid:CVE-2022-23006

LAST UPDATE DATE

2024-08-14T14:17:41.799000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-88804date:2022-12-20T00:00:00
db:VULMONid:CVE-2022-23006date:2022-09-28T00:00:00
db:JVNDBid:JVNDB-2022-018157date:2023-10-18T08:12:00
db:CNNVDid:CNNVD-202209-2808date:2022-10-08T00:00:00
db:NVDid:CVE-2022-23006date:2022-10-03T18:40:17.377

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-88804date:2022-12-16T00:00:00
db:VULMONid:CVE-2022-23006date:2022-09-27T00:00:00
db:JVNDBid:JVNDB-2022-018157date:2023-10-18T00:00:00
db:CNNVDid:CNNVD-202209-2808date:2022-09-27T00:00:00
db:NVDid:CVE-2022-23006date:2022-09-27T23:15:12.720