CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS
Percentile
52.3%
Multiple vulnerabilities have been discovered in Citrix ADC(formerlyknown asNetScaler ADC)andCitrix Gateway (formerlyknown asNetScaler Gateway),and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.These vulnerabilities,if exploited,could result in the following security issues:
CVE-ID | Description | CWE | Affected Products | Pre-conditions |
---|---|---|---|---|
CVE-2021-22919 | Limiteddiskspaceconsumptionon the appliance | CWE-400: Uncontrolled Resource Consumption | Citrix ADC,Citrix Gateway,Citrix SD-WANWANOPEdition | Unauthenticated attackermustbe able to reachthemanagementGUI |
CVE-2021-22920 | SAML authentication hijack through a phishing attack to steal a valid user session | CWE-284: Improper access control | Citrix ADC, Citrix Gateway | Citrix ADCor Citrix Gatewaymust beconfiguredas aSAMLSP |
CVE-2021-22927 | Session fixation by an authorized user on SAML SP | CWE-384: Session Fixation | Citrix ADC, Citrix Gateway | Citrix ADC or Citrix Gateway must be configured as aSAMLSP |
The following supported versions of CitrixADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition are affectedbyCVE-2021-22919:
The following supported versions of CitrixADC andCitrixGateway areaffected byCVE-2021-22920:
The following supported versions of CitrixADC andCitrix Gatewayareaffected byCVE-2021-22927:
These issues have already been addressed in CitrixmanagedCloud services such as Citrix Gateway Service and Citrix Secure Workspace Access. Customers usingCitrixmanagedCloudservicesdo not need to take any action.
Vendor | Product | Version | CPE |
---|---|---|---|
citrix | xenmobile | * | cpe:2.3:a:citrix:xenmobile:*:*:*:*:*:*:*:* |
citrix | gateway | * | cpe:2.3:a:citrix:gateway:*:*:*:*:*:*:*:* |
citrix | netscaler_gateway | * | cpe:2.3:h:citrix:netscaler_gateway:*:*:*:*:*:*:*:* |
citrix | sd-wan_wanop | * | cpe:2.3:o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS
Percentile
52.3%