CVE-2023-22817

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-22817

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

S

erver-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. 

References
Link Resource
https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update Vendor Advisory
https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_pr2100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_ex4100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex4100:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_mirror_g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_mirror_g2:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_dl2100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_dl2100:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_dl4100:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_ex2100:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_glacier_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_glacier:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:westerndigital:wd_cloud_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:wd_cloud:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_home_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_home:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_home_duo_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_home_duo:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:westerndigital:sandisk_ibi_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:sandisk_ibi:-:*:*:*:*:*:*:*
History

21 Nov 2024, 07:45

Type Values Removed Values Added
References () https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update - Vendor Advisory () https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update - Vendor Advisory
Information

Published : 2024-02-05 22:15

Updated : 2024-11-21 07:45

NVD link : CVE-2023-22817

Mitre link : CVE-2023-22817

CVE.ORG link : CVE-2023-22817

JSON object : View

Products Affected

westerndigital

CWE
CWE-918

Server-Side Request Forgery (SSRF)