CVE-2024-22169
HIGH EPSS 17.2%
Published Aug 2, 20241y ago · Modified Jun 17, 20262w ago
7.1 CVSS 4.0
Published Aug 2, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
17.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
References 1
- westerndigital.com https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.