Vulnerability-Lookup

CNVD-2020-41789

Vulnerability from cnvd - Published: 2020-07-23

Title

Citrix Systems Citrix ShareFile storage zones Controller路径遍历漏洞（CNVD-2020-41789）

Description

Citrix Systems Citrix ShareFile是美国思杰系统（Citrix Systems）公司的一套文件共享解决方案。storage zones Controller是其中的一个存储区控制器。 Citrix Systems Citrix ShareFile storage zones Controller中存在安全漏洞。攻击者可利用该漏洞访问ShareFile用户的文档和文件夹。

Severity

中

Patch Name

Citrix Systems Citrix ShareFile storage zones Controller路径遍历漏洞（CNVD-2020-41789）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://support.citrix.com/article/CTX269106

Reference

https://www.auscert.org.au/bulletins/ESB-2020.1598/

Impacted products

Name
['Citrix Systems Citrix ShareFile storage zones Controller 5.9.0', 'Citrix Systems Citrix ShareFile storage zones Controller 5.8.0', 'Citrix Systems Citrix ShareFile storage zones Controller 5.7.0', 'Citrix Systems Citrix ShareFile storage zones Controller 5.6.0', 'Citrix Systems Citrix ShareFile storage zones Controller <=5.5.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7473"
    }
  },
  "description": "Citrix Systems Citrix ShareFile\u662f\u7f8e\u56fd\u601d\u6770\u7cfb\u7edf\uff08Citrix Systems\uff09\u516c\u53f8\u7684\u4e00\u5957\u6587\u4ef6\u5171\u4eab\u89e3\u51b3\u65b9\u6848\u3002storage zones Controller\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b58\u50a8\u533a\u63a7\u5236\u5668\u3002\n\nCitrix Systems Citrix ShareFile storage zones Controller\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95eeShareFile\u7528\u6237\u7684\u6587\u6863\u548c\u6587\u4ef6\u5939\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.citrix.com/article/CTX269106",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-41789",
  "openTime": "2020-07-23",
  "patchDescription": "Citrix Systems Citrix ShareFile\u662f\u7f8e\u56fd\u601d\u6770\u7cfb\u7edf\uff08Citrix Systems\uff09\u516c\u53f8\u7684\u4e00\u5957\u6587\u4ef6\u5171\u4eab\u89e3\u51b3\u65b9\u6848\u3002storage zones Controller\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u5b58\u50a8\u533a\u63a7\u5236\u5668\u3002\r\n\r\nCitrix Systems Citrix ShareFile storage zones Controller\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95eeShareFile\u7528\u6237\u7684\u6587\u6863\u548c\u6587\u4ef6\u5939\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Citrix Systems Citrix ShareFile storage zones Controller\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2020-41789\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Citrix Systems Citrix ShareFile storage zones Controller 5.9.0",
      "Citrix Systems Citrix ShareFile storage zones Controller 5.8.0",
      "Citrix Systems Citrix ShareFile storage zones Controller 5.7.0",
      "Citrix Systems Citrix ShareFile storage zones Controller 5.6.0",
      "Citrix Systems Citrix ShareFile storage zones Controller \u003c=5.5.0"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.1598/",
  "serverity": "\u4e2d",
  "submitTime": "2020-05-07",
  "title": "Citrix Systems Citrix ShareFile storage zones Controller\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2020-41789\uff09"
}

CVE-2020-7473 (GCVE-0-2020-7473)

Vulnerability from cvelistv5 – Published: 2020-05-07 13:54 – Updated: 2024-08-04 09:33

Summary

In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://support.citrix.com/article/CTX269106

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.946Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.citrix.com/article/CTX269106"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer\u0027s product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-07T13:54:24",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.citrix.com/article/CTX269106"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-7473",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer\u0027s product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.citrix.com/article/CTX269106",
              "refsource": "CONFIRM",
              "url": "https://support.citrix.com/article/CTX269106"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-7473",
    "datePublished": "2020-05-07T13:54:24",
    "dateReserved": "2020-01-21T00:00:00",
    "dateUpdated": "2024-08-04T09:33:19.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-41789

CVE-2020-7473 (GCVE-0-2020-7473)

Tags

Sightings

Nomenclature