CVE-2020-8982 - OpenCVE

Vendors	Products
Citrix	Sharefile Storagezones Controller

Link	Providers
https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view
https://support.citrix.com/article/CTX269106
https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-15T19:44:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.citrix.com/article/CTX269106"}, {"tags": ["x_refsource_MISC"], "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"}, {"tags": ["x_refsource_MISC"], "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8982", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://support.citrix.com/article/CTX269106", "refsource": "CONFIRM", "url": "https://support.citrix.com/article/CTX269106"}, {"name": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/", "refsource": "MISC", "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"}, {"name": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view", "refsource": "MISC", "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.281Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.citrix.com/article/CTX269106"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8982", "datePublished": "2020-05-07T13:55:59", "dateReserved": "2020-02-13T00:00:00", "dateUpdated": "2024-08-04T10:19:19.281Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:sharefile_storagezones_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CDF2EB6-BDE8-42F1-AE12-3370B3CBC053", "versionEndIncluding": "5.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:sharefile_storagezones_controller:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "C78467E3-DBB4-4C65-A80A-5482B95AD0A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:sharefile_storagezones_controller:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "EFBF1D87-DB8B-4F4A-9EDE-A73428734361", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:sharefile_storagezones_controller:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "17B1B70C-376C-456A-A335-E23A0E922ECE", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:sharefile_storagezones_controller:5.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "90EDDA18-9157-4408-9C8D-92B242312950", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983."}, {"lang": "es", "value": "Existe un problema de lectura de archivos arbitrarios no autenticado en todas las versiones del controlador Citrix ShareFile StorageZones (tambi\u00e9n conocido como zonas de almacenamiento), incluidas las versiones m\u00e1s recientes de 5.10.x a partir de mayo de 2020. Se otorga acceso a archivos y RCE a todo lo alojado por ShareFile, ya sea en- local o dentro de Citrix Cloud (ambos tienen conexi\u00f3n a internet). NOTA: a diferencia de la mayor\u00eda de los CVE, la capacidad de explotaci\u00f3n depende de la versi\u00f3n del producto que estaba en uso cuando se realiz\u00f3 un paso de configuraci\u00f3n particular, NO de la versi\u00f3n del producto que est\u00e1 en uso durante una evaluaci\u00f3n actual del inventario de productos de un consumidor de CVE. Espec\u00edficamente, la vulnerabilidad puede explotarse si una de estas versiones del producto cre\u00f3 una zona de almacenamiento: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0 o anterior. Este CVE difiere de CVE-2020-7473 y CVE-2020-8983."}], "id": "CVE-2020-8982", "lastModified": "2020-05-15T20:15:14.453", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-07T14:15:12.010", "references": [{"source": "cve@mitre.org", "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX269106"}, {"source": "cve@mitre.org", "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object