Lucene search

K
cve[email protected]CVE-2023-22813
HistoryMay 08, 2023 - 11:15 p.m.

CVE-2023-22813

2023-05-0823:15:09
CWE-862
CWE-200
web.nvd.nist.gov
16
cve-2023
22813
western digital
my cloud
sandisk
api
security
vulnerability
mobile apps
web app
access controls
cors policy
authentication

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.8%

A device API
endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy
and missing authentication requirement for private IPs, a remote attacker on
the same network as the device could obtain device information by convincing a
victim user to visit an attacker-controlled server and issue a cross-site
request.

This issue affects
My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My
Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126;
ibi Web App: before 4.26.0-6126.

Affected configurations

NVD
Node
westerndigitalmy_cloudRange<4.26.0-6126-
OR
westerndigitalmy_cloud_homeRange<4.21.0android
OR
westerndigitalmy_cloud_homeRange<4.21.0iphone_os
OR
westerndigitalmy_cloud_homeRange<4.26.0-6126-
OR
westerndigitalmy_cloud_os_5Range<4.21.0android
OR
westerndigitalmy_cloud_os_5Range<4.21.0iphone_os
OR
westerndigitalsandisk_ibiRange<4.21.0android
OR
westerndigitalsandisk_ibiRange<4.21.0iphone_os
OR
westerndigitalsandisk_ibiRange<4.26.0-6126-

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android",
      "iOS"
    ],
    "product": "My Cloud OS 5 Mobile App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "iOS",
      "Android"
    ],
    "product": "My Cloud Home Mobile App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android",
      "iOS"
    ],
    "product": "ibi Mobile App",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "My Cloud OS 5 Web App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "My Cloud Home Web App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "ibi Web App",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.8%

Related for CVE-2023-22813