Western Digital content app vulnerable to unauthorized media access

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/western-digital-content-app-vulnerable-to-unauthorized-media-access/

Western Digital's EdgeRover desktop app for both Windows and Mac are vulnerable to local privilege escalation and sandboxing escape bugs that could allow the disclosure of sensitive information or denial of service (DoS) attacks.

EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface.
It's a proprietary software solution aiming to increase usability and comfort, offering powerful content searching, filtering, categorization options, privacy settings, collection creation, duplicate detection, and more.

Considering that Western Digital is one of the world's most successful manufacturers and retailers of digital storage products, there are likely a significant number of people using EdgeRover for data management.

A data exposing problem​

The vulnerability, tracked as CVE-2022-22998, is a directory traversal bug, allowing unauthorized access to restricted directories and files. The vulnerability has been given a CVSS v3 severity rating of 9.1, categorizing the flaw as critical.

Western Digital's brief advisory does not provide much detail regarding the vulnerability, so it is not clear if it is a DLL hijacking bug allowing local privilege elevation or a bug allowing access to unprivileged data locations.

However, Western Digital is advising its customers to update their EdgeRover desktop applications to version 1.5.1-594 or later, released last week to resolve these vulnerabilities.