CVE-2023-22813

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:westerndigital:my_cloud::::::-::*
	cpe:2.3:a:westerndigital:my_cloud_home::::::android::*
	cpe:2.3:a:westerndigital:my_cloud_home::::::iphone_os::*
	cpe:2.3:a:westerndigital:my_cloud_home::::::-::*
	cpe:2.3:a:westerndigital:my_cloud_os_5::::::android::*
	cpe:2.3:a:westerndigital:my_cloud_os_5::::::iphone_os::*
	cpe:2.3:a:westerndigital:sandisk_ibi::::::android::*
	cpe:2.3:a:westerndigital:sandisk_ibi::::::iphone_os::*
	cpe:2.3:a:westerndigital:sandisk_ibi::::::-::*

History

16 May 2023, 15:01

Type	Values Removed	Values Added
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:westerndigital:sandisk_ibi::::::iphone_os::* cpe:2.3:a:westerndigital:my_cloud_os_5::::::iphone_os::* cpe:2.3:a:westerndigital:my_cloud_os_5::::::android::* cpe:2.3:a:westerndigital:my_cloud::::::-::* cpe:2.3:a:westerndigital:my_cloud_home::::::android::* cpe:2.3:a:westerndigital:sandisk_ibi::::::android::* cpe:2.3:a:westerndigital:my_cloud_home::::::-::* cpe:2.3:a:westerndigital:sandisk_ibi::::::-::* cpe:2.3:a:westerndigital:my_cloud_home::::::iphone_os::*
References	~~(MISC) https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update -~~	(MISC) https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update - Vendor Advisory

10 May 2023, 22:15

Type	Values Removed	Values Added
Summary	A device API endpoint was missing access controls on Western Digital My Cloud OS 5 Mobile App on Android, iOS, Western Digital My Cloud Home Mobile App on iOS, Android, SanDIsk ibi Mobile App on Android, iOS, Western Digital WD Cloud Mobile App on Android, iOS, Western Digital My Cloud OS 5 Web App, Western Digital My Cloud Home Web App, SanDisk ibi Web App and the Western Digital WD Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.This issue affects My Cloud OS 5 Mobile App: through 4.21.0; My Cloud Home Mobile App: through 4.21.0; ibi Mobile App: through 4.21.0; WD Cloud Mobile App: through 4.21.0; My Cloud OS 5 Web App: through 4.26.0-6126; My Cloud Home Web App: through 4.26.0-6126; ibi Web App: through 4.26.0-6126; WD Web App: through 4.26.0-6126.	A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

08 May 2023, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-08 23:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-22813

Mitre link : CVE-2023-22813

CVE.ORG link : CVE-2023-22813

JSON object : View

Products Affected

westerndigital

my_cloud_os_5
my_cloud
my_cloud_home
sandisk_ibi

CWE

CWE-862

Missing Authorization

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10