CVE Tools

CVE-2023-22817

Server-side Request Forgery vulnerability in Western Digital My Cloud, My Cloud Home and SanDisk ibi products

Published: Feb 5, 2024Updated: Nov 21, 2024 Sources: CVE List NVD BDUCWE-918

No Known Exploits

Patch Available

Description

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

CVSS Vector Breakdown

Exploitability

AV:LAttack Vector

Local

AC:LAttack Complexity

Low

PR:LPrivileges Required

Low

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:NConfidentiality

None

I:HIntegrity

High

A:NAvailability

None

Open in CVSS calculator →

Weaknesses

Affected Products

My Cloud OS 5 Western Digital

On-prem

Hardware Firmware / storage-nas

My Cloud Home & Duo Western Digital

On-prem

Hardware Firmware / storage-nas

Embedded

Hardware Firmware / storage-nas

my cloud pr2100 firmware westerndigital Hardware Firmware

my cloud pr4100 firmware westerndigital Hardware Firmware

western digitalcommercialUSHardware Firmwareaka western digital

sandiskcommercialUSHardware Firmwareaka sandisk, sandisk.com

westerndigitalcommercialUSHardware Firmwareaka western digital, wd

and 24 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques

Command and Control

Initial Access

View detailed technique mapping

References

https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update

westerndigital.com

https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update

westerndigital.com

https://vuldb.com/?id.252891

Timeline

Published

Feb 5, 2024

Last Updated

Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-22817 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows