#VU86123 Server-Side Request Forgery (SSRF) in Western Digital products - CVE-2023-22817
Published: February 6, 2024 / Updated: February 7, 2024
Vulnerability identifier: #VU86123
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-22817
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
My Cloud PR2100
My Cloud PR4100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud Mirror G2
My Cloud DL2100
My Cloud DL4100
My Cloud EX2100
WD Cloud
My Cloud (Glacier)
My Cloud Home
My Cloud Home Duo
SanDisk ibi
My Cloud PR2100
My Cloud PR4100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud Mirror G2
My Cloud DL2100
My Cloud DL4100
My Cloud EX2100
WD Cloud
My Cloud (Glacier)
My Cloud Home
My Cloud Home Duo
SanDisk ibi
Software vendor:
Western Digital
Western Digital
Description
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the RESTSDK server. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
Remediation
Install updates from vendor's website.