CVE-2021-22914 - OpenCVE

Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Citrix	Cloud Connector

Configuration 1 [-]

cpe:2.3:a:citrix:cloud_connector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.citrix.com/article/CTX316690

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2021-06-16T13:08:10

Updated: 2024-08-03T18:58:25.569Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22914

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-16T14:15:08.683

Modified: 2021-06-24T20:30:57.157

Link: CVE-2021-22914

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Citrix Cloud Connector", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 6.31.0.62192"}]}], "descriptions": [{"lang": "en", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-922", "description": "Insecure Storage of Sensitive Information (CWE-922)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-16T13:08:10", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.citrix.com/article/CTX316690"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2021-22914", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Citrix Cloud Connector", "version": {"version_data": [{"version_value": "Fixed in 6.31.0.62192"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Storage of Sensitive Information (CWE-922)"}]}]}, "references": {"reference_data": [{"name": "https://support.citrix.com/article/CTX316690", "refsource": "MISC", "url": "https://support.citrix.com/article/CTX316690"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:58:25.569Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.citrix.com/article/CTX316690"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2021-22914", "datePublished": "2021-06-16T13:08:10", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-08-03T18:58:25.569Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:cloud_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "81564DA8-436D-433F-8486-E48A90AE8F14", "versionEndExcluding": "6.31.0.62192", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}, {"lang": "es", "value": "Citrix Cloud Connector versiones anteriores a 6.31.0.62192, sufre de almacenamiento no seguro de informaci\u00f3n confidencial debido a que la informaci\u00f3n confidencial es almacenada en los archivos de registro de instalaci\u00f3n de Citrix Cloud Connector. Esta informaci\u00f3n podr\u00eda ser usada por un actor malicioso para acceder a un entorno de Citrix Cloud. Este problema afecta a todas las versiones de Citrix Cloud Connector que fueron instaladas pasando par\u00e1metros de cliente seguro para la instalaci\u00f3n por medio de la l\u00ednea de comandos. El problema no afecta a Citrix Cloud Connector si se instal\u00f3 mediante el instalador interactivo o si se us\u00f3 un archivo de par\u00e1metros con el instalador de l\u00ednea de comandos"}], "id": "CVE-2021-22914", "lastModified": "2021-06-24T20:30:57.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-16T14:15:08.683", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX316690"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-922"}], "source": "support@hackerone.com", "type": "Secondary"}]}