{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-22817","assignerOrgId":"cb3b742e-5145-4748-b44b-5ffd45bf3b6a","state":"PUBLISHED","assignerShortName":"WDC PSIRT","dateReserved":"2023-01-06T20:23:44.301Z","datePublished":"2024-02-05T21:26:42.020Z","dateUpdated":"2024-08-02T10:20:31.069Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Linux"],"product":"My Cloud OS 5","vendor":"Western Digital","versions":[{"lessThan":"5.27.161","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Linux"],"product":"My Cloud Home & Duo","vendor":"Western Digital","versions":[{"lessThan":"9.5.1-104","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Linux"],"product":"ibi","vendor":"SanDisk","versions":[{"lessThan":"9.5.1-104","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">by fixing DNS addresses that refer to loopback. </span>This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.&nbsp;<br>"}],"value":"Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104. \n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918 Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"cb3b742e-5145-4748-b44b-5ffd45bf3b6a","shortName":"WDC PSIRT","dateUpdated":"2024-02-05T21:26:42.020Z"},"references":[{"url":"https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><div><p><span style=\"background-color: var(--wht);\">For My Cloud OS 5 devices,&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.</span></span></p><p><span style=\"background-color: var(--wht);\">My Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.</span><br></p></div><div></div></div><div><div><div><div><br></div></div></div></div><br>"}],"value":"For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.\n\nMy Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"}],"source":{"discovery":"EXTERNAL"},"title":"Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-22817","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-02-06T15:36:16.188338Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:21:32.355Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T10:20:31.069Z"},"title":"CVE Program Container","references":[{"url":"https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update","tags":["x_transferred"]}]}]}}