cbcvebase.
CVE-2020-8982
published 2020-05-07

CVE-2020-8982: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent…

PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.15%
97.8th percentile
An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-7473 and CVE-2020-8983.

Affected

13 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_gateway
citrixsharefile
citrixsharefile_storagezones_controller<= 5.5.0
citrixsharefile_storagezones_controller
citrixsharefile_storagezones_controller
citrixsharefile_storagezones_controller
citrixsharefile_storagezones_controller
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

url/XmlPeek.aspx?dt=\\..\\..\\..\\..\\..\\..\\Windows\\win.ini&x=/validate.ashx?requri
path/XmlPeek.aspx
  • HTTP GET request to /XmlPeek.aspx with path traversal in the 'dt' parameter targeting Windows\win.ini; a vulnerable host returns HTTP 200 with body containing 'bit app support', 'fonts', and 'extensions'.
  • Response body match: presence of all three strings 'bit app support', 'fonts', and 'extensions' (AND condition) in the HTTP 200 response body confirms successful arbitrary file read exploitation.
  • The vulnerability is exploitable only if the storage zone was originally created with StorageZones Controller version 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier — regardless of the currently installed version.
  • ·Exploitability is determined by the version used at storage zone CREATION time, not the currently installed version. A fully patched 5.10.x installation remains vulnerable if the zone was originally created on 5.9.0 or earlier.
  • ·Scope of impact includes both on-premise deployments and Citrix Cloud-hosted ShareFile instances, as both are internet-facing.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.