Vulnerability Name:

CVE-2020-8196 (CCN-184691)

Assigned:2020-07-07
Published:2020-07-07
Updated:2022-05-24
Summary:Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.
CVSS v3 Severity:4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
4.0 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
6.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-862
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-8196

Source: MISC
Type: Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html

Source: XF
Type: UNKNOWN
citrix-cve20208196-info-disc(184691)

Source: CCN
Type: Packet Storm Security [11-13-2020]
Citrix ADC NetScaler Local File Inclusion

Source: CCN
Type: CTX276688
Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update

Source: MISC
Type: Vendor Advisory
https://support.citrix.com/article/CTX276688

Source: CCN
Type: CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY
KNOWN EXPLOITED VULNERABILITIES CATALOG

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [11-13-2020]

Vulnerable Configuration:Configuration 1:
  • cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 10.5 and < 10.5-70.18)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1-64.14)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.0-63.21)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 12.1 and < 12.1-57.18)
  • OR cpe:/o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.0-58.30)
  • AND
  • cpe:/h:citrix:application_delivery_controller:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 10.5 and < 10.5-70.18)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1-64.14)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.0-63.21)
  • OR cpe:/o:citrix:netscaler_gateway_firmware:*:*:*:*:*:*:*:* (Version >= 12.1 and < 12.1-57.18)
  • AND
  • cpe:/h:citrix:netscaler_gateway:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:citrix:gateway_firmware:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.0-58.30)
  • AND
  • cpe:/h:citrix:gateway:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 11.1 and < 11.1.1a)
  • OR cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.0.3d)
  • OR cpe:/o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:* (Version >= 10.2 and < 10.2.7)
  • AND
  • cpe:/h:citrix:5000-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:5100-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:4100-wo:-:*:*:*:*:*:*:*
  • OR cpe:/h:citrix:4000-wo:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:citrix:gateway_firmware:11.1:*:*:*:*:*:*:*
  • OR cpe:/o:citrix:gateway_firmware:12.0:*:*:*:*:*:*:*
  • OR cpe:/o:citrix:sd-wan_wanop:10.2:*:*:*:*:*:*:*
  • OR cpe:/o:citrix:sd-wan_wanop:11.0:*:*:*:*:*:*:*
  • OR cpe:/o:citrix:sd-wan_wanop:11.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller firmware *
    citrix application delivery controller -
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway firmware *
    citrix netscaler gateway -
    citrix gateway firmware *
    citrix gateway -
    citrix sd-wan wanop *
    citrix sd-wan wanop *
    citrix sd-wan wanop *
    citrix 5000-wo -
    citrix 5100-wo -
    citrix 4100-wo -
    citrix 4000-wo -
    citrix gateway firmware 11.1
    citrix gateway firmware 12.0
    citrix sd-wan wanop 10.2
    citrix sd-wan wanop 11.0
    citrix sd-wan wanop 11.1