CVE-2023-22817

Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products

CVSS 5.5 MEDIUMEPSS 0.2%CWE-918

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.5EPSS 0.2%KEV nãoPoC —Patch —

Lifecycle

Feb 05, 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products

SanDisk · ibi Western Digital · My Cloud Home & Duo Western Digital · My Cloud OS 5

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update