Bg

Advisories

Advisories

Summary

Misconfiguration in node.js causing code execution in WD Discovery.

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing an environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron.

Vendor / Vendor Homepage:
Western Digital / westerndigital[dot]com

Affected Products:
WD Discovery versions prior to 5.0.589

Fixed Version:
WD Discovery versions 5.0.589

CVE-ID:
CVE-2024-22169

CVSS Score - NVD: 7.1/High - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

References:
https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589
https://www.cve.org/CVERecord?id=CVE-2024-22169
https://nvd.nist.gov/vuln/detail/CVE-2024-22169

Acknowledgement

YoKo Kho, Fahad Alamri, and AbdulKarim Alsabilah from HakTrak Cybersecurity Squad