// For flags

CVE-2024-22169

Misconfiguration in node.js causing a code execution in WD Discovery

Severity Score

7.1
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

WD Discovery
versions prior to 5.0.589 contain a misconfiguration in the Node.js environment
settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable.
Any malicious application operating with standard user permissions can exploit
this vulnerability, enabling code execution within WD Discovery application's
context. WD Discovery version 5.0.589 addresses this issue by disabling certain
features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device.

*Credits: Western Digital would like to thank YoKo Kho, Fahad Alamri, and AbdulKarim from HakTrak Cybersecurity Squad for reporting this issue
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
Passive
System
Vulnerable | Subsequent
Confidentiality
None
High
Integrity
High
High
Availability
None
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-01-05 CVE Reserved
  • 2024-08-02 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Western Digital
Search vendor "Western Digital"
WD Discovery
Search vendor "Western Digital" for product "WD Discovery"
< 5.0.589
Search vendor "Western Digital" for product "WD Discovery" and version " < 5.0.589"
en
Affected