Lucene search

[email protected]CVE-2023-22813

HistoryMay 08, 2023 - 11:15 p.m.

CVE-2023-22813

2023-05-0823:15:09

CWE-862

CWE-200

[email protected]

web.nvd.nist.gov

cve-2023

22813

western digital

my cloud

sandisk

api

security

vulnerability

mobile apps

web app

access controls

cors policy

authentication

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.9%

JSON

A device API
endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy
and missing authentication requirement for private IPs, a remote attacker on
the same network as the device could obtain device information by convincing a
victim user to visit an attacker-controlled server and issue a cross-site
request.

This issue affects
My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My
Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126;
ibi Web App: before 4.26.0-6126.

Affected configurations

NVD

Node

westerndigitalmy_cloudRange<4.26.0-6126-

westerndigitalmy_cloud_homeRange<4.21.0android

westerndigitalmy_cloud_homeRange<4.21.0iphone_os

westerndigitalmy_cloud_homeRange<4.26.0-6126-

westerndigitalmy_cloud_os_5Range<4.21.0android

westerndigitalmy_cloud_os_5Range<4.21.0iphone_os

westerndigitalsandisk_ibiRange<4.21.0android

westerndigitalsandisk_ibiRange<4.21.0iphone_os

westerndigitalsandisk_ibiRange<4.26.0-6126-

CPENameOperatorVersion
westerndigital:my_cloudwesterndigital my cloudlt4.26.0-6126
westerndigital:my_cloud_homewesterndigital my cloud homelt4.21.0
westerndigital:my_cloud_homewesterndigital my cloud homelt4.26.0-6126
westerndigital:my_cloud_os_5westerndigital my cloud os 5lt4.21.0
westerndigital:sandisk_ibiwesterndigital sandisk ibilt4.21.0
westerndigital:sandisk_ibiwesterndigital sandisk ibilt4.26.0-6126

CPE	Name	Operator	Version
westerndigital:my_cloud	westerndigital my cloud	lt	4.26.0-6126
westerndigital:my_cloud_home	westerndigital my cloud home	lt	4.21.0
westerndigital:my_cloud_home	westerndigital my cloud home	lt	4.26.0-6126
westerndigital:my_cloud_os_5	westerndigital my cloud os 5	lt	4.21.0
westerndigital:sandisk_ibi	westerndigital sandisk ibi	lt	4.21.0
westerndigital:sandisk_ibi	westerndigital sandisk ibi	lt	4.26.0-6126

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android",
      "iOS"
    ],
    "product": "My Cloud OS 5 Mobile App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "iOS",
      "Android"
    ],
    "product": "My Cloud Home Mobile App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android",
      "iOS"
    ],
    "product": "ibi Mobile App",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": "4.21.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "My Cloud OS 5 Web App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "My Cloud Home Web App",
    "vendor": "Western Digital",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "ibi Web App",
    "vendor": "SanDisk",
    "versions": [
      {
        "lessThan": " 4.26.0-6126",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.9%

JSON

Related for CVE-2023-22813

prion1 nvd1 cvelist1