CVE-2022-22995 | The combination of primitives offered by SMB and AFP in thei… | CVSS 10.0 CRITICAL

Description

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

Metadata

CVE ID: CVE-2022-22995
State: PUBLISHED
Assigner: WDC PSIRT
Reserved: 2022-01-10 00:00 UTC
Published: 2022-03-25 00:00 UTC
Last updated: 2025-11-03 21:45 UTC
Primary CWE: CWE-59
CWE-59 Improper Link Resolution Before File Access ('Link Fo…
Vendor / Product: Western Digital / My Cloud
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Affected products (2)

Vendor	Product	Platform	Versions
Western Digital	My Cloud	Linux	My Cloud OS 5 < 5.19.117
Western Digital	My Cloud Home	Android	My Cloud Home < 7.16-220

Weakness (CWE)

CWE	Source	Description
CWE-59	cna	CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

References (6)

https://www.westerndigital.com/support/product-security/wdc-22005-netatalk-security-vulnerabilities
FEDORA-2023-cec97f7b5d https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2/
FEDORA-2023-ef901c862c https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO/
GLSA-202311-02 https://security.gentoo.org/glsa/202311-02
FEDORA-2023-39f0ec3879 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW/
[debian-lts-announce] 20240104 [SECURITY] [DLA 3706-1] netatalk security update https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html