CVE-2023-22817 — MEDIUM (5.5)

Q: How severe is CVE-2023-22817?

CVE-2023-22817 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22817?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Pr2100 Firmware, Westerndigital My Cloud Pr2100, Westerndigital My Cloud Pr4100 Firmware, Westerndigital My Cloud Pr4100, Westerndigital My Cloud Ex4100 Firmware.

Vulnerability Description

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Westerndigital	My Cloud Pr2100 Firmware	< 5.27.161
Westerndigital	My Cloud Pr2100	-
Westerndigital	My Cloud Pr4100 Firmware	< 5.27.161
Westerndigital	My Cloud Pr4100	-
Westerndigital	My Cloud Ex4100 Firmware	< 5.27.161
Westerndigital	My Cloud Ex4100	-
Westerndigital	My Cloud Ex2 Ultra Firmware	< 5.27.161
Westerndigital	My Cloud Ex2 Ultra	-
Westerndigital	My Cloud Mirror G2 Firmware	< 5.27.161
Westerndigital	My Cloud Mirror G2	-
Westerndigital	My Cloud Dl2100 Firmware	< 5.27.161
Westerndigital	My Cloud Dl2100	-
Westerndigital	My Cloud Dl4100 Firmware	< 5.27.161
Westerndigital	My Cloud Dl4100	-
Westerndigital	My Cloud Ex2100 Firmware	< 5.27.161
Westerndigital	My Cloud Ex2100	-
Westerndigital	My Cloud Glacier Firmware	< 5.27.161
Westerndigital	My Cloud Glacier	-
Westerndigital	Wd Cloud Firmware	< 5.27.161
Westerndigital	Wd Cloud	-

Related Weaknesses (CWE)

CWE-918

References

https://www.westerndigital.com/support/product-security/wdc-24001-western-digitaVendor Advisory
https://www.westerndigital.com/support/product-security/wdc-24001-western-digitaVendor Advisory

FAQ

What is CVE-2023-22817?

CVE-2023-22817 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then...

How severe is CVE-2023-22817?

CVE-2023-22817 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22817?

Check the references section above for vendor advisories and patch information. Affected products include: Westerndigital My Cloud Pr2100 Firmware, Westerndigital My Cloud Pr2100, Westerndigital My Cloud Pr4100 Firmware, Westerndigital My Cloud Pr4100, Westerndigital My Cloud Ex4100 Firmware.