CVE-2023-22817 MEDIUM

CVE-2023-22817: Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products

Vendor Western Digital

Product My Cloud OS 5

Weakness CWE-918 · SSRF

Published February 5, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

Key dates

02Disclosure timeline

February 5, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22817

Related vulnerabilities

Identifiers

CVE CVE-2023-22817

CWE CWE-918

CVSS 5.5 / MEDIUM

Affected versions

Vendor Western Digital

Product My Cloud OS 5

Affected < 5.27.161

Vendor Western Digital

Product My Cloud Home & Duo

Affected < 9.5.1-104

Vendor Sandisk

Product ibi

Affected < 9.5.1-104

CVE-2023-22817: Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products

01Description

02Disclosure timeline

03References

04Related CVE