Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-8982Path Traversal in Citrix Sharefile Storagezones Controller

CWE-22Path Traversal12 documents5 sources
Severity
7.5HIGHNVD
EPSS
75.9%
top 1.08%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
9
Citrix Sharefile Storagezones ControllerCitrix ADMCitrix Hypervisor+6 more
Timeline
PublishedMay 7
Latest updateMay 24

Description

An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020. RCE and file access is granted to everything hosted by ShareFile, be it on-premise or inside Citrix Cloud itself (both are internet facing). NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

🔴Vulnerability Details

4
GHSA
GHSA-xqh7-34g2-j95q: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 52022-05-24
GHSA
GHSA-jjf5-33c4-34wr: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 52022-05-24
GHSA
GHSA-2p3q-x3x4-ww4x: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 52022-05-24
VulnCheck
Citrix ShareFile Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')2020

💥Exploits & PoCs

1
Nuclei
Citrix ShareFile StorageZones <=5.10.x - Arbitrary File Read

📋Vendor Advisories

4
Citrix
CVE-2020-7473: In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of M2020-05-07
Citrix
CVE-2020-8983: An arbitrary file write issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x2020-05-07
Citrix
CVE-2020-8982: An unauthenticated arbitrary file read issue exists in all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the mos2020-05-07
Citrix
Citrix Security Bulletin CTX269106