Vulnerability Details : CVE-2020-7473
In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.
Vulnerability category: Directory traversal
Products affected by CVE-2020-7473
- cpe:2.3:a:citrix:sharefile_storagezones_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:sharefile_storagezones_controller:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:sharefile_storagezones_controller:5.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:sharefile_storagezones_controller:5.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:sharefile_storagezones_controller:5.9.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-7473
0.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-7473
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-7473
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-7473
-
https://support.citrix.com/article/CTX269106
Citrix ShareFile storage zones Controller multiple security updatesVendor Advisory
Jump to