WDC PSIRTVULNRICHMENT:CVE-2023-22817CVE-2023-22817 Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressedย by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.
CNA Affected
[
{
"vendor": "Western Digital",
"product": "My Cloud OS 5",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "5.27.161",
"versionType": "custom"
}
],
"platforms": [
"Linux"
],
"defaultStatus": "unaffected"
},
{
"vendor": "Western Digital",
"product": "My Cloud Home & Duo",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "9.5.1-104",
"versionType": "custom"
}
],
"platforms": [
"Linux"
],
"defaultStatus": "unaffected"
},
{
"vendor": "SanDisk",
"product": "ibi",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "9.5.1-104",
"versionType": "custom"
}
],
"platforms": [
"Linux"
],
"defaultStatus": "unaffected"
}
]Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial