cbcvebase.
CVE-2023-22817
published 2024-02-05

CVE-2023-22817: Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back…

PriorityP426medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EPSS
0.24%
15.1th percentile
Server-side request forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server. This was addressed by fixing DNS addresses that refer to loopback. This issue affects My Cloud OS 5 devices before 5.27.161, My Cloud Home, My Cloud Home Duo and SanDisk ibi devices before 9.5.1-104.

Affected

17 ranges
VendorProductVersion rangeFixed in
pythonpillow>= 0 < 10.2.010.2.0
sandiskibi< 9.5.1-1049.5.1-104
western_digitalmy_cloud_home_duo< 9.5.1-1049.5.1-104
western_digitalmy_cloud_os_5< 5.27.1615.27.161
westerndigitalmy_cloud_dl2100_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_dl4100_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_ex2100_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_ex2_ultra_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_ex4100_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_glacier_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_home_duo_firmware< 9.5.1-1049.5.1-104
westerndigitalmy_cloud_home_firmware< 9.5.1-1049.5.1-104
westerndigitalmy_cloud_mirror_g2_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_pr2100_firmware< 5.27.1615.27.161
westerndigitalmy_cloud_pr4100_firmware< 5.27.1615.27.161
westerndigitalsandisk_ibi_firmware< 9.5.1-1049.5.1-104
westerndigitalwd_cloud_firmware< 5.27.1615.27.161

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.