CitrixCTX477617Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
13.2%
Vulnerabilities have been identified that, collectively, allow a standard Windows user to perform operations as SYSTEM on the computer running Citrix Workspace app.
These vulnerabilities have the following identifiers:
| CVE ID | Description | Vulnerability Type | Pre-conditions |
|---|---|---|---|
| CVE-2023-24484 | A malicious user can cause log files to be written to a directory that they do not have permission to write to. | CWE-284: Improper Access Control | Local user access to a system where a vulnerable version of Citrix Workspace App for Windows is later installed or uninstalled by a SYSTEM process (e.g. SCCM). |
| CVE-2023-24485 | Privilege Escalation on the system running a vulnerable version of Citrix Workspace app for Windows | CWE-284: Improper Access Control | Local user access to a system at the time a vulnerable version of Citrix Workspace App for Windows is being installed or uninstalled by an Administrator or SYSTEM process (e.g. SCCM). |
The vulnerability affects the following supported versions of Citrix Workspace App for Windows:
- Citrix Workspace App versions before 2212
- Citrix Workspace App 2203 LTSR before CU2
- Citrix Workspace App 1912 LTSR before CU7 Hotfix 2 (19.12.7002)
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
13.2%