CVE-2024-22169

Misconfiguration in node.js causing a code execution in WD Discovery

Description

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device.

Remediation

Solution:

Users can download the latest version from the WD Discovery Downloads page or by following the instructions on the WD Discovery: Online User Guide https://support-en.wd.com/app/answers/detailweb/a_id/20465

References

Link	Tags
https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589

Frequently Asked Questions

What is the severity of CVE-2024-22169?: CVE-2024-22169 has been scored as a high severity vulnerability.
How to fix CVE-2024-22169?: To fix CVE-2024-22169: Users can download the latest version from the WD Discovery Downloads page or by following the instructions on the WD Discovery: Online User Guide https://support-en.wd.com/app/answers/detailweb/a_id/20465
Is CVE-2024-22169 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-22169 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-22169?: CVE-2024-22169 affects Western Digital WD Discovery.

Description

Remediation

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions