CVE-2023-6548

Warnung

EPSS 17.8%
Veröffentlicht 17.01.2024 20:15:50
Zuletzt bearbeitet 27.01.2025 21:48:11
Quelle secure@citrix.com
Teams Watchlist Login
Unerledigt Login

Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Citrix ≫ Netscaler Application Delivery Controller SwEditionfips Version >= 12.1 < 12.1-55.302

Citrix ≫ Netscaler Application Delivery Controller SwEditionndcpp Version >= 12.1 < 12.1-55.302

Citrix ≫ Netscaler Application Delivery Controller SwEdition- Version >= 13.0 < 13.0-92.21

Citrix ≫ Netscaler Application Delivery Controller SwEditionfips Version >= 13.1 < 13.1-37.176

Citrix ≫ Netscaler Application Delivery Controller SwEdition- Version >= 13.1 < 13.1-51.15

Citrix ≫ Netscaler Application Delivery Controller SwEdition- Version >= 14.1 < 14.1-12.35

Citrix ≫ NetScaler Gateway Version >= 13.0 < 13.0-92.21

Citrix ≫ NetScaler Gateway Version >= 13.1 < 13.1-51.15

Citrix ≫ NetScaler Gateway Version >= 14.1 < 14.1-12.35

17.01.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability

Schwachstelle

Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	17.8%	0.949

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
secure@citrix.com	5.5	2.1	3.4	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-6548

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-6548

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-6548

EUVD