CVE-2023-22813

Summary

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.

This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

Affected Software

VendorProductVersion RangeStatus
Western DigitalMy Cloud OS 5 Mobile App0 < 4.21.0affected
Western DigitalMy Cloud Home Mobile App0 < 4.21.0affected
SanDiskibi Mobile App0 < 4.21.0affected
Western DigitalMy Cloud OS 5 Web App0 < 4.26.0-6126affected
Western DigitalMy Cloud Home Web App0 < 4.26.0-6126affected
SanDiskibi Web App0 < 4.26.0-6126affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References