CVE-2020-8982
Vulnerability from cvelistv5
Published
2020-05-07 13:55
Modified
2024-08-04 10:19
Severity ?
Summary
An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983.
References
cve@mitre.orghttps://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view
cve@mitre.orghttps://support.citrix.com/article/CTX269106Vendor Advisory
cve@mitre.orghttps://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/
af854a3a-2127-422b-91ae-364da2661108https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view
af854a3a-2127-422b-91ae-364da2661108https://support.citrix.com/article/CTX269106Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:19:19.281Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.citrix.com/article/CTX269106"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer\u0027s product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-15T19:44:12",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.citrix.com/article/CTX269106"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-8982",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer\u0027s product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.citrix.com/article/CTX269106",
              "refsource": "CONFIRM",
              "url": "https://support.citrix.com/article/CTX269106"
            },
            {
              "name": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/",
              "refsource": "MISC",
              "url": "https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/"
            },
            {
              "name": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view",
              "refsource": "MISC",
              "url": "https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-8982",
    "datePublished": "2020-05-07T13:55:59",
    "dateReserved": "2020-02-13T00:00:00",
    "dateUpdated": "2024-08-04T10:19:19.281Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-8982\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-05-07T14:15:12.010\",\"lastModified\":\"2024-11-21T05:39:46.393\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer\u0027s product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983.\"},{\"lang\":\"es\",\"value\":\"Existe un problema de lectura de archivos arbitrarios no autenticado en todas las versiones del controlador Citrix ShareFile StorageZones (tambi\u00e9n conocido como zonas de almacenamiento), incluidas las versiones m\u00e1s recientes de 5.10.x a partir de mayo de 2020. Se otorga acceso a archivos y RCE a todo lo alojado por ShareFile, ya sea en- local o dentro de Citrix Cloud (ambos tienen conexi\u00f3n a internet). NOTA: a diferencia de la mayor\u00eda de los CVE, la capacidad de explotaci\u00f3n depende de la versi\u00f3n del producto que estaba en uso cuando se realiz\u00f3 un paso de configuraci\u00f3n particular, NO de la versi\u00f3n del producto que est\u00e1 en uso durante una evaluaci\u00f3n actual del inventario de productos de un consumidor de CVE. Espec\u00edficamente, la vulnerabilidad puede explotarse si una de estas versiones del producto cre\u00f3 una zona de almacenamiento: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0 o anterior. Este CVE difiere de CVE-2020-7473 y CVE-2020-8983.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:citrix:sharefile_storagezones_controller:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.5.0\",\"matchCriteriaId\":\"3CDF2EB6-BDE8-42F1-AE12-3370B3CBC053\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:citrix:sharefile_storagezones_controller:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C78467E3-DBB4-4C65-A80A-5482B95AD0A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:citrix:sharefile_storagezones_controller:5.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFBF1D87-DB8B-4F4A-9EDE-A73428734361\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:citrix:sharefile_storagezones_controller:5.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B1B70C-376C-456A-A335-E23A0E922ECE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:citrix:sharefile_storagezones_controller:5.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"90EDDA18-9157-4408-9C8D-92B242312950\"}]}]}],\"references\":[{\"url\":\"https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://support.citrix.com/article/CTX269106\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://drive.google.com/file/d/1Izd5MF_HHuq8YSwAyJLBErWL_nbe6f9v/view\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.citrix.com/article/CTX269106\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.linkedin.com/posts/jonas-hansen-2a2606b_citrix-sharefile-storage-zones-controller-activity-6663432907455025152-8_w6/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.