CVE Tools
Sign in

CVE-2024-22169

Misconfiguration in node.js causing a code execution in WD Discovery

Published: Aug 2, 2024Updated: Aug 5, 2024 Sources: CVE List NVD BDUCWE-94
NVD MITRE
9.3CVSSCRITICAL
EPSS Score
0.3%
Top 83.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device.

CVSS Vector Breakdown

AV:LAC:LC:HI:HA:H
Exploitability
AV:LAccess Vector
Local
AC:LAccess Complexity
Low
Impact
C:HConfidentiality
H
I:HIntegrity
H
A:HAvailability
H
Open in CVSS calculator →

Weaknesses

CWE-94

Affected Products

WD DiscoveryWestern Digital
On-prem
Hardware Firmware / storage-nas
WindowsMicrosoft Corp
On-premOS
Operating Systems / windows
MacOSApple Inc.
On-premOS
Operating Systems / unix-bsd
WD DiscoveryWestern Digital CorporationHardware Firmware
western digitalcommercialUSHardware Firmwareaka western digital
microsoft corpcommercialUSOperating Systemsaka microsoft corporation
apple inc.commercialUSMobile Appsaka apple
western digital corporationcommercialUSHardware Firmwareaka western digital

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques
Execution
Initial Access
View detailed technique mapping

References

https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589
westerndigital.com
https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589
westerndigital.com
https://vuldb.com/ru/?id.273507
vuldb.com

Timeline

Published
Aug 2, 2024
Last Updated
Aug 5, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-22169 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows