CVE-2021-22914

Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.citrix.com/article/CTX316690	Vendor Advisory
https://support.citrix.com/article/CTX316690	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:citrix:cloud_connector:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:50

Type	Values Removed	Values Added
References	~~() https://support.citrix.com/article/CTX316690 - Vendor Advisory~~	() https://support.citrix.com/article/CTX316690 - Vendor Advisory

Information

Published : 2021-06-16 14:15

Updated : 2024-11-21 05:50

NVD link : CVE-2021-22914

Mitre link : CVE-2021-22914

CVE.ORG link : CVE-2021-22914

JSON object : View

Products Affected

citrix

cloud_connector

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2021-22914", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-06-16T14:15:08.683", "references": [{"url": "https://support.citrix.com/article/CTX316690", "tags": ["Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://support.citrix.com/article/CTX316690", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Citrix Cloud Connector before 6.31.0.62192 suffers from insecure storage of sensitive information due to sensitive information being stored in the Citrix Cloud Connector installation log files. Such information could be used by an malicious actor to access a Citrix Cloud environment. This issue affects all versions of Citrix Cloud Connector that were installed by passing secure client parameters for installation via the command line. The issue does not affect Citrix Cloud Connector if it was installed using the interactive installer or where a parameter file was used with the command-line installer."}, {"lang": "es", "value": "Citrix Cloud Connector versiones anteriores a 6.31.0.62192, sufre de almacenamiento no seguro de informaci\u00f3n confidencial debido a que la informaci\u00f3n confidencial es almacenada en los archivos de registro de instalaci\u00f3n de Citrix Cloud Connector. Esta informaci\u00f3n podr\u00eda ser usada por un actor malicioso para acceder a un entorno de Citrix Cloud. Este problema afecta a todas las versiones de Citrix Cloud Connector que fueron instaladas pasando par\u00e1metros de cliente seguro para la instalaci\u00f3n por medio de la l\u00ednea de comandos. El problema no afecta a Citrix Cloud Connector si se instal\u00f3 mediante el instalador interactivo o si se us\u00f3 un archivo de par\u00e1metros con el instalador de l\u00ednea de comandos"}], "lastModified": "2024-11-21T05:50:54.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:citrix:cloud_connector:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81564DA8-436D-433F-8486-E48A90AE8F14", "versionEndExcluding": "6.31.0.62192"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}