Misconfiguration in node.js causing code execution in WD Discovery.
WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing an environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron.
Vendor / Vendor Homepage:
Western Digital / westerndigital[dot]com
Affected Products:
WD Discovery versions prior to 5.0.589
Fixed Version:
WD Discovery versions 5.0.589
CVE-ID:
CVE-2024-22169
CVSS Score - NVD: 7.1/High - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
References:
https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589
https://www.cve.org/CVERecord?id=CVE-2024-22169
https://nvd.nist.gov/vuln/detail/CVE-2024-22169
YoKo Kho, Fahad Alamri, and AbdulKarim Alsabilah from HakTrak Cybersecurity Squad