CVE-2023-22817
moderate-risk
Published 2024-02-05
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (13)
My Cloud Pr2100 Firmware
My Cloud Ex4100 Firmware
My Cloud Ex2 Ultra Firmware
My Cloud Mirror G2 Firmware
My Cloud Dl2100 Firmware
My Cloud Dl4100 Firmware
My Cloud Ex2100 Firmware
My Cloud Glacier Firmware
Wd Cloud Firmware
My Cloud Home Firmware
My Cloud Home Duo Firmware
Sandisk Ibi Firmware
Affected Vendors
References (2)
35
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
17/34 · Moderate