CVE-2021-22914 - OpenCVE

Vendors	Products
Citrix	Cloud Connector

Link	Resource
https://support.citrix.com/article/CTX316690	Vendor Advisory

{"containers": {"cna": {"affected": [{"product": "Citrix Cloud Connector", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 6.31.0.62192"}]}], "descriptions": [{"lang": "en", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-922", "description": "Insecure Storage of Sensitive Information (CWE-922)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-16T13:08:10", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.citrix.com/article/CTX316690"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2021-22914", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Citrix Cloud Connector", "version": {"version_data": [{"version_value": "Fixed in 6.31.0.62192"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Storage of Sensitive Information (CWE-922)"}]}]}, "references": {"reference_data": [{"name": "https://support.citrix.com/article/CTX316690", "refsource": "MISC", "url": "https://support.citrix.com/article/CTX316690"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2021-22914", "datePublished": "2021-06-16T13:08:10", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2021-06-16T13:08:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:citrix:cloud_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "81564DA8-436D-433F-8486-E48A90AE8F14", "versionEndExcluding": "6.31.0.62192", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}, {"lang": "es", "value": "Citrix Cloud Connector versiones anteriores a 6.31.0.62192, sufre de almacenamiento no seguro de informaci\u00f3n confidencial debido a que la informaci\u00f3n confidencial es almacenada en los archivos de registro de instalaci\u00f3n de Citrix Cloud Connector. Esta informaci\u00f3n podr\u00eda ser usada por un actor malicioso para acceder a un entorno de Citrix Cloud. Este problema afecta a todas las versiones de Citrix Cloud Connector que fueron instaladas pasando par\u00e1metros de cliente seguro para la instalaci\u00f3n por medio de la l\u00ednea de comandos. El problema no afecta a Citrix Cloud Connector si se instal\u00f3 mediante el instalador interactivo o si se us\u00f3 un archivo de par\u00e1metros con el instalador de l\u00ednea de comandos"}], "id": "CVE-2021-22914", "lastModified": "2021-06-24T20:30:57.157", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-16T14:15:08.683", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://support.citrix.com/article/CTX316690"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-922"}], "source": "support@hackerone.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

JSON object

JSON object

JSON object