CVE-2023-22817

MEDIUM

Western Digital My Cloud OS 5 and My Cloud Home - Server-Side Request Forgery via Loopback DNS Redirection

Title source: llm

Description

Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

References (1)

Core 1

Core References

Vendor Advisory

https://www.westerndigital.com/support/product-security/wdc-24001-western-digital-my-cloud-os-5-my-cloud-home-duo-and-sandisk-ibi-firmware-update

Scores

CVSS v3 5.5

EPSS 0.0024

EPSS Percentile 15.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (13)

westerndigital/my_cloud_dl2100_firmware < 5.27.161

westerndigital/my_cloud_dl4100_firmware < 5.27.161

westerndigital/my_cloud_ex2100_firmware < 5.27.161

westerndigital/my_cloud_ex2_ultra_firmware < 5.27.161

westerndigital/my_cloud_ex4100_firmware < 5.27.161

westerndigital/my_cloud_glacier_firmware < 5.27.161

westerndigital/my_cloud_home_duo_firmware < 9.5.1-104

westerndigital/my_cloud_home_firmware < 9.5.1-104

westerndigital/my_cloud_mirror_g2_firmware < 5.27.161

westerndigital/my_cloud_pr2100_firmware < 5.27.161

... and 3 more

Published Feb 05, 2024

Tracked Since Feb 18, 2026