CVE-2020-8196

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Application_delivery_controller_firmware	Citrix	10.5 (including)	10.5-70.18 (excluding)
Application_delivery_controller_firmware	Citrix	11.1 (including)	11.1-64.14 (excluding)
Application_delivery_controller_firmware	Citrix	12.0 (including)	12.0-63.21 (excluding)
Application_delivery_controller_firmware	Citrix	12.1 (including)	12.1-57.18 (excluding)
Application_delivery_controller_firmware	Citrix	13.0 (including)	13.0-58.30 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html
https://support.citrix.com/article/CTX276688

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-8196
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References