CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
72.0%
Vulnerabilities have been discovered in Citrix Secure Mail for Android that could allow unauthorised access to data within Citrix Secure Mail.
These vulnerabilities have the following identifiers:
CVE ID
|
Description
|
Vulnerability Type
|
Pre-conditions
—|—|—|—
CVE-2020-8274
|
Unauthenticated access to read data stored within Secure Mail
|
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
|
A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device
CVE-2020-8275
|
Unauthenticated access to read limited calendar related data stored within Secure Mail
|
CWE-284: Improper Access Control
|
A malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device
The following versions of Citrix Secure Mail are affected by these issues:
Citrix Secure Mail for iOS is unaffected by these vulnerabilities.
Customers who have enabled automatic updates on their device will be automatically updated to a fixed version of Citrix Secure Mail.
The issues have been addressed in the following versions of Citrix Secure Mail:
Customers are recommended to ensure that users of Secure Mail for Android have updated to the latest version using the Google Play Store as soon as possible.
Citrix would like to thank Julien Thomas of Protektoid project for working with us to protect Citrix customers.
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <http://support.citrix.com/>.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <https://www.citrix.com/support/open-a-support-case.html>.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: – <https://www.citrix.com/about/trust-center/vulnerability-process.html>
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time.
Date | Change |
---|---|
2020-12-08 | Initial Publication |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS
Percentile
72.0%