CVE-2023-22813: WDC-23004 Western Digital My Cloud OS 5, My Cloud Home, SanDisk ibi and WD Cloud Mobile and Web App Update | Western Digital

WDC Tracking Number: WDC-23004
Product Line: My Cloud, My Cloud Home, My Cloud Home Duo, SanDisk ibi, and WD Cloud
Published: March 5, 2023

Last Updated: March 24, 2023

Description

Western Digital My Cloud, My Cloud Home, SanDisk ibi and WD Cloud mobile and web apps have been updated to help improve the security of your devices and data.

Product Impact

Minimum Fix Version

Last Updated

ibi App - Android

4.21.0 or later

March 01, 2023

ibi App - iOS

4.21.0 or later

March 01, 2023

My Cloud Home App - Android

4.21.0 or later

March 01, 2023

My Cloud Home App - iOS

4.21.0 or later

March 01, 2023

My Cloud OS 5 App - Android

4.21.0 or later

March 01, 2023

My Cloud OS 5 App - iOS

4.21.0 or later

March 01, 2023

WD Cloud App - Android

4.21.0 or later

March 01, 2023

WD Cloud App - iOS

4.21.0 or later

March 01, 2023

ibi Web App

4.26.0-6126

March 08, 2023

My Cloud Home Web App

4.26.0-6126

March 08, 2023

My Cloud Web App

4.26.0-6126

March 08, 2023

WD Cloud Web App

4.26.0-6126

March 08, 2023

Users of the mobile apps should promptly update the apps to reflect the latest changes. The web apps have automatically been updated.

Advisory Summary

Addressed a security concern where a device API endpoint was missing access controls. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This was addressed by enforcing token-based authentication on the corresponding endpoint to avoid unauthorized information disclosures.

CVE Number: CVE-2023-22813