9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.3%
Vulnerabilities have been discovered in Citrix Gateway and Citrix ADC, listed below. Note that only appliances that are operating as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) are affected by the first issue, which is rated as a Critical severity vulnerability.
CVE-ID | Description | CWE | Affected Products | Pre-conditions |
---|---|---|---|---|
CVE-2022-27510 | Unauthorized access to Gateway user capabilities | CWE-288: Authentication Bypass Using an Alternate Path or Channel | Citrix Gateway, Citrix ADC | Appliance must be configured as a |
CVE-2022-27513| Remote desktop takeover via phishing| CWE-345: Insufficient Verification of Data Authenticity| Citrix Gateway, Citrix ADC| Appliance must be configured as a
and the RDP proxy functionality must be configured
CVE-2022-27516| User login brute force protection functionality bypass| CWE-693: Protection Mechanism Failure| Citrix Gateway, Citrix ADC| Appliance must be configured as a
OR
and the user lockout functionality “Max Login Attempts” must be configuredfor either Gateway or AAA virtual server
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway13.1before13.1-33.47
Citrix ADC and Citrix Gateway13.0before13.0-88.12
Citrix ADC andCitrixGateway12.1before12.1.65.21
Citrix ADC 12.1-FIPS before 12.1-55.289
Citrix ADC 12.1-NDcPP before 12.1-55.289
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.
CPE | Name | Operator | Version |
---|---|---|---|
citrix adc | ge | 13.1 | |
citrix adc | le | 33.47 | |
citrix adc | ge | 14.0.0 | |
citrix adc | ge | 15.0.0 | |
citrix adc | ge | 16.0.0 | |
citrix adc | ge | 17.0.0 | |
citrix adc | ge | 18.0.0 | |
citrix adc | ge | 19.0.0 | |
citrix adc | ge | 20.0.0 | |
citrix adc | ge | 21.0.0 |