WDC Tracking Number: WDC-22018
Product Line: WD My Cloud Home, WD My Cloud Home Duo and SanDisk ibi
Published: November 14, 2022
Last Updated: November 14, 2022
Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices were vulnerable to a path traversal vulnerability which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.
These devices were also vulnerable to multiple issues in the open-source curl package that could allow a remote attacker to obtain sensitive information, leak authentication or cookie header data or facilitate a denial-of-service attack.
My Cloud Home, My Cloud Home Duo and ibi firmware version 8.12.0-178 includes updates to address these vulnerabilities. Your devices will be automatically updated to reflect the latest firmware version.
For more information on the latest security updates, see the release notes.
The path traversal vulnerability was addressed by ensuring that when the final path is created, it is resolved under the target directory.
CVE Number: CVE-2022-29837
Addressed multiple curl vulnerabilities by updating the version to 7.64.0-4+deb10u3.
CVE Number: CVE-2021-22898, CVE-2021-22924, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2022-22576, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208