Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202.




**WDC Tracking Number:** WDC-23006  
**Product Line:** My Cloud  
**Published:** May 15, 2023

**Last Updated:** May 15, 2023

**Description**

My Cloud OS 5 Firmware 5.26.202 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.26.202

May 15, 2023

My Cloud PR4100

5.26.202

May 15, 2023

My Cloud EX4100

5.26.202

May 15, 2023

My Cloud EX2 Ultra

5.26.202

May 15, 2023

My Cloud Mirror G2

5.26.202

May 15, 2023

My Cloud DL2100

5.26.202

May 15, 2023

My Cloud DL4100

5.26.202

May 15, 2023

My Cloud EX2100

5.26.202

May 15, 2023

My Cloud

5.26.202

May 15, 2023

WD Cloud

5.26.202

May 15, 2023

For more information on the latest security updates, see the release notes.

**Advisory Summary**

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

**CVE Number:** CVE-2022-36326

Reported By: Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.  

**CVE Number:**  CVE-2022-36327  

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

**CVE Number:** CVE-2022-36328

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a server-side request forgery vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter. This could allow the URL to exploit other vulnerabilities on the local server.

**CVE Number:** CVE-2022-29840

Reported By: Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE-2022-29840: WDC-23006 My Cloud Firmware Version 5.26.202 | Western Digital

**Report a Security Issue**

To report a security issue you believe you have found in a Western Digital product or service, please email the details of your findings to PSIRT@wdc.com. Messages sent to any other email addresses may result in a delayed response.  
When possible, please include the following:

*   The specific product(s) or service(s) affected, including any relevant version numbers;
*   Details about the impact of the issue;
*   Any information that can help reproduce or diagnose the issue, including a Proof of Concept (PoC) if available; and
*   Whether you believe the vulnerability is already publicly disclosed or known to third parties.

  
Please use our PGP/GPG key to encrypt the information before sending it.

**Vulnerability Disclosure Program**

Western Digital follows a coordinated vulnerability disclosure process. For more information on the scope of our vulnerability disclosure program and what you can expect when working with Western Digital, see our Vulnerability Disclosure Policy.

Western Digital Vulnerability Disclosure Policy

CVE-2022-29840: Product Security | Western Digital

There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick an authorized user into executing unwanted actions. 

CVE-2023-25832: Portal for ArcGIS Security 2023 Update 1 Patch

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.

CVE-2023-31804: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.

CVE-2023-31802: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.

CVE-2023-31801: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.

CVE-2023-31800: Security issues - Chamilo LMS

imgproxy prior to version 3.15.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.

**imgproxy is vulnerable to Server-Side Request Forgery**

Moderate severity GitHub Reviewed Published May 8, 2023 to the GitHub Advisory Database • Updated May 11, 2023

GHSA-9x7h-ggc3-xg47: imgproxy is vulnerable to Server-Side Request Forgery

imgproxy <= 3.6.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.

*   

GitHub - imgproxy/imgproxy: Fast and secure standalone server for resizing and converting remote images

Fast and secure standalone server for resizing and converting remote images - GitHub - imgproxy/imgproxy: Fast and secure standalone server for resizing and converting remote images

GitHubimgproxy

This means that an attacker can still pass loopback addresses as part of the imageURL parameter, which could allow them to exploit the vulnerability.

This vulnerability may lead to internal enumeration of internal hosts or ports, It's error based because the application returns two error messages:

\- 500 Internal Server Error (Source image is unreachable): if the URL is unreachable, which means that the host or the port is unreachable or not open.

\- 422 Unprocessable Entity (Invalid source image): if the URL is reachable and the port is open.

Mitigation: https://github.com/imgproxy/imgproxy/commit/1a9768a2c682e88820064aa3d9a05ea234ff3cc4

CVE-2023-30019: CVE-2023-30019: SSRF in imgproxy<=3.14.0

Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.20.1 security update  
Advisory ID:       RHSA-2023:2100-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2100  
Issue date:        2023-05-03  
CVE Names:         CVE-2021-37533 CVE-2022-4492 CVE-2022-25857   
                   CVE-2022-31777 CVE-2022-33681 CVE-2022-37865   
                   CVE-2022-37866 CVE-2022-38398 CVE-2022-38648   
                   CVE-2022-38749 CVE-2022-38750 CVE-2022-38751   
                   CVE-2022-38752 CVE-2022-39368 CVE-2022-40146   
                   CVE-2022-40150 CVE-2022-40151 CVE-2022-40152   
                   CVE-2022-40156 CVE-2022-41704 CVE-2022-41852   
                   CVE-2022-41853 CVE-2022-41854 CVE-2022-41881   
                   CVE-2022-41966 CVE-2022-42003 CVE-2022-42004   
                   CVE-2022-42890 CVE-2023-1370 CVE-2023-1436   
                   CVE-2023-20860 CVE-2023-20861 CVE-2023-20863   
                   CVE-2023-22602 CVE-2023-24998   
=====================================================================

1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.1 release and security  
update is now available.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Camel for Spring Boot 3.20.1 serves as a replacement for  
Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which  
are documented in the Release Notes document linked in the References.

The purpose of this text-only errata is to inform you about the security  
issues fixed.

Security Fix(es):

* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections (CVE-2022-25857)

* JXPath: untrusted XPath expressions may lead to RCE attack  
(CVE-2022-41852)

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

* xstream: Denial of Service by injecting recursive collections or maps  
based on element's hash values raising a stack overflow (CVE-2022-41966)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
(CVE-2023-20860)

* apache-commons-net: FTP client trusts the host from PASV response by  
default (CVE-2021-37533)

* undertow: Server identity in https connection is not checked by the  
undertow client (CVE-2022-4492)

* apache-spark: XSS vulnerability in log viewer UI Javascript  
(CVE-2022-31777)

* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy  
can expose authentication data via MITM (CVE-2022-33681)

* apache-ivy: Directory Traversal (CVE-2022-37865)

* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject  
(CVE-2022-38750)

* snakeyaml: Uncaught exception in  
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode  
(CVE-2022-38752)

* scandium: Failing DTLS handshakes may cause throttling to block  
processing of records (CVE-2022-39368)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40156)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG  
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
(CVE-2022-41881)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* batik: Untrusted code execution in Apache XML Graphics Batik  
(CVE-2022-42890)

* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request  
(CVE-2023-22602)

* Apache Commons FileUpload: FileUpload DoS with excessive parts  
(CVE-2023-24998)

* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart  
(Resource Exhaustion) (CVE-2023-1370)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode  
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject  
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match  
2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode  
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks  
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2136128 - CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack  
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack  
2136207 - CVE-2022-33681 Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM  
2145205 - CVE-2022-39368 scandium: Failing DTLS handshakes may cause throttling to block processing of records  
2145264 - CVE-2022-31777 apache-spark: XSS vulnerability in log viewer UI Javascript  
2150011 - CVE-2022-37866 : Apache Ivy: Ivy Path traversal  
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow  
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client  
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability  
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery  
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery  
2169924 - CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default  
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow  
2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts  
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability  
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG  
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik  
2182188 - CVE-2022-37865 apache-ivy: Directory Traversal  
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request  
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray  
2187742 - CVE-2023-20863 springframework: Spring Expression DoS Vulnerability  
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

5. References:

https://access.redhat.com/security/cve/CVE-2021-37533  
https://access.redhat.com/security/cve/CVE-2022-4492  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-31777  
https://access.redhat.com/security/cve/CVE-2022-33681  
https://access.redhat.com/security/cve/CVE-2022-37865  
https://access.redhat.com/security/cve/CVE-2022-37866  
https://access.redhat.com/security/cve/CVE-2022-38398  
https://access.redhat.com/security/cve/CVE-2022-38648  
https://access.redhat.com/security/cve/CVE-2022-38749  
https://access.redhat.com/security/cve/CVE-2022-38750  
https://access.redhat.com/security/cve/CVE-2022-38751  
https://access.redhat.com/security/cve/CVE-2022-38752  
https://access.redhat.com/security/cve/CVE-2022-39368  
https://access.redhat.com/security/cve/CVE-2022-40146  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-40151  
https://access.redhat.com/security/cve/CVE-2022-40152  
https://access.redhat.com/security/cve/CVE-2022-40156  
https://access.redhat.com/security/cve/CVE-2022-41704  
https://access.redhat.com/security/cve/CVE-2022-41852  
https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/cve/CVE-2022-41854  
https://access.redhat.com/security/cve/CVE-2022-41881  
https://access.redhat.com/security/cve/CVE-2022-41966  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42890  
https://access.redhat.com/security/cve/CVE-2023-1370  
https://access.redhat.com/security/cve/CVE-2023-1436  
https://access.redhat.com/security/cve/CVE-2023-20860  
https://access.redhat.com/security/cve/CVE-2023-20861  
https://access.redhat.com/security/cve/CVE-2023-20863  
https://access.redhat.com/security/cve/CVE-2023-22602  
https://access.redhat.com/security/cve/CVE-2023-24998  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFKf5tzjgjWX9erEAQhIqg//XeYlOwVssDc5dWFf02uXELWr1vTurtJ+  
7QGG8kgacPOojp8CHqFy1Bgyt0XIRQq75pwaFRjG4ea2Tbfusr77ZDq9Yq/wl18p  
4U8FZ885MIaTYPt+xK2kNVf0c0qJAxwIcA9h+FSrmETpNxPcf2axexpbyRNdSLIv  
3Oet0spu1hpJl0agTZ214dRFODuLq/ZylBueAQB0D1UbUFwdhs0Ay/LdGxvq6fNp  
HcZU8YQvhbTCgqV3Hr4Y9wsgvyjENoLkp6QhaD38Jgp3JvXwFLbLfvZNRZn7ILKx  
VIz4Tqr1qrEMzsX0gZuM2H5fIjriXezhrPKvy6V2aA6rHws2p1DociAGepQmCL64  
Obc6UE36z5ebu7yGXMzzcuxE4TP7rrAokEqEjVngysitXoFHlt3CdNFrfaHU8fOc  
HykRqQm0BhMKGtocLUSG9Ykw/k0AbX0ZtDqrLjsjTJczulJXm43qEN0KQZjZEz78  
5OHTThAs7Cz3l77NMvk6XTOsr+kxYLoJdmdfWPkyeFjqZ73F7DR6KZLSNOuho5mE  
rNI24kXfC/1NwqyteG/3936kO1nHHWx4X3s9IQ/JHCLe7vnsAt3tEi1MUG16tvpb  
dSnn728JfYB1L8IdYNh+BUgEmc2P5KaMb+wpilffsW3lIgwKOsFa/Z6noMeJCjiO  
4+sH8zYm/3A=  
=u6p/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#ssrf