4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
<section>
<div><div>
<div>
<h2> Description of Problem</h2>
<div>
<div>
<div>
<p>Two security issues have been identified within Citrix ShareFile StorageZones Controller that, if exploited, could allow a compromised or malicious ShareFile user to write arbitrary files as that Active Directory user to the local file system, and also to discover the full local file system paths of shared files to which the ShareFile user has access.</p>
<p>These issues affect all currently supported versions of Citrix ShareFile StorageZones Controller before version 5.4.2.</p>
<p>The following issues have been addressed:</p>
<p>ā¢ CVE-2018-16968 (Medium): Citrix ShareFile StorageZones Controller before 5.4.2 allows Directory Traversal</p>
<p>ā¢ CVE-2018-16969 (Low): Citrix ShareFile StorageZones Controller before 5.4.2 has Information Exposure Through an Error Message</p>
</div>
</div>
</div>
</div>
<div>
<h2> Mitigating Factors</h2>
<div>
<div>
<div>
<p>These issues require a compromised or malicious ShareFile user in order to exploit them. To write files, the Active Directory user account must also have local file system permissions to write files to the chosen location. To read the full path of a shared file, the ShareFile user account must also have existing permission to the shared file.</p>
<p> </p>
</div>
</div>
</div>
</div>
<div>
<h2> What Customers Should Do</h2>
<div>
<div>
<div>
<p>A new version of the Citrix ShareFile StorageZones Controller has been released. Citrix recommends that affected customers review the risks that these issues pose to their specific deployment and upgrade in a timely manner.</p>
<p>Citrix also recommends that the StorageZones Controller be configured such that Active Directory user accounts only have permissions to read and write files within the storage path root.</p>
<p>The StorageZones controller can be downloaded at the following location: <a href=āhttps://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.htmlā>https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-542.html</a></p>
<p> </p>
</div>
</div>
</div>
</div>
<div>
<h2> Acknowledgements</h2>
<div>
<div>
<div>
<p>Citrix thanks Wolfgang Ettlinger of SEC Consult Vulnerability Lab (<a href=āhttp://www.sec-consult.com/ā>http://www.sec-consult.com/</a>) for working with us to protect Citrix customers.</p>
</div>
</div>
</div>
</div>
<div>
<h2> What Citrix Is Doing</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=āhttp://support.citrix.com/ā>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Obtaining Support on This Issue</h2>
<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=āhttps://www.citrix.com/support/open-a-support-case.htmlā>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Reporting Security Vulnerabilities</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 ā <a href=āhttp://support.citrix.com/article/CTX081743ā>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<h2> Changelog</h2>
<div>
<div>
<div>
<table width=ā100%ā>
<tbody>
<tr>
<td colspan=ā1ā rowspan=ā1ā>Date </td>
<td colspan=ā1ā rowspan=ā1ā>Change</td>
</tr>
<tr>
<td colspan=ā1ā rowspan=ā1ā>19th September 2018</td>
<td colspan=ā1ā rowspan=ā1ā>Initial publishing</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div></div>
</section>
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N