First published: Wed May 10 2023(Updated: )
Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Westerndigital My Cloud Os | >=5.02.104<5.26.202 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror G2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud |
https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202
For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-29840 is a Server-Side Request Forgery (SSRF) vulnerability found in Western Digital My Cloud OS 5 devices.
CVE-2022-29840 allows a rogue server on the local network to modify its URL to point back to the loopback adapter, which can be used to exploit other vulnerabilities on the local server.
CVE-2022-29840 affects versions up to 5.02.104 and 5.26.202 of Western Digital My Cloud OS.
CVE-2022-29840 has a severity rating of medium (5.5).
To fix CVE-2022-29840, you should update your Western Digital My Cloud OS to version 5.26.202 or later.