CVE-2020-8193

Warning

Exploit

EPSS 94.3%
Published 10.07.2020 16:15:12
Last modified 14.03.2025 15:07:15
Source support@hackerone.com
Teams watchlist Login
Open Login

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.

Affected products Warnungen 1 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Citrix ≫ Application Delivery Controller Firmware Version >= 10.5 < 10.5-70.18

Citrix ≫ Application Delivery Controller Version-

Citrix ≫ Application Delivery Controller Firmware Version >= 11.1 < 11.1-64.14

Citrix ≫ Application Delivery Controller Version-

Citrix ≫ Application Delivery Controller Firmware Version >= 12.0 < 12.0-63.21

Citrix ≫ Application Delivery Controller Version-

Citrix ≫ Application Delivery Controller Firmware Version >= 12.1 < 12.1-57.18

Citrix ≫ Application Delivery Controller Version-

Citrix ≫ Application Delivery Controller Firmware Version >= 13.0 < 13.0-58.30

Citrix ≫ Application Delivery Controller Version-

Citrix ≫ Netscaler Gateway Firmware Version >= 10.5 < 10.5-70.18

Citrix ≫ NetScaler Gateway Version-

Citrix ≫ Netscaler Gateway Firmware Version >= 11.1 < 11.1-64.14

Citrix ≫ NetScaler Gateway Version-

Citrix ≫ Netscaler Gateway Firmware Version >= 12.0 < 12.0-63.21

Citrix ≫ NetScaler Gateway Version-

Citrix ≫ Netscaler Gateway Firmware Version >= 12.1 < 12.1-57.18

Citrix ≫ NetScaler Gateway Version-

Citrix ≫ Gateway Firmware Version >= 13.0 < 13.0-58.30

Citrix ≫ Gateway Version-

Citrix ≫ Sd-wan Wanop Version >= 10.2 < 10.2.7

   Citrix ≫ 4000-wo Version-
   Citrix ≫ 4100-wo Version-
   Citrix ≫ 5000-wo Version-
   Citrix ≫ 5100-wo Version-

Citrix ≫ Sd-wan Wanop Version >= 11.0 < 11.0.3d

   Citrix ≫ 4000-wo Version-
   Citrix ≫ 4100-wo Version-
   Citrix ≫ 5000-wo Version-
   Citrix ≫ 5100-wo Version-

Citrix ≫ Sd-wan Wanop Version >= 11.1 < 11.1.1a

   Citrix ≫ 4000-wo Version-
   Citrix ≫ 4100-wo Version-
   Citrix ≫ 5000-wo Version-
   Citrix ≫ 5100-wo Version-

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability

Vulnerability

Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an authorization bypass vulnerability that may allow unauthenticated access to certain URL endpoints. The attacker must have access to the NetScaler IP (NSIP) in order to perform exploitation.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.3%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://support.citrix.com/article/CTX276688

Vendor Advisory

http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2020-8193

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8193

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8193

EUVD