6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.9%
An authorisation bypass vulnerability was discovered in the Citrix Application Delivery Management (ADM) server. The vulnerability allows a Citrix ADM user with read-only privilege to access a managed instances with admin level permissions.
The following deployment scenarios are affected:
1. A Citrix Application Delivery Management server on-premises
2. A Citrix Application Delivery Management on Cloud, deployed on-premises or customer-managed cloud datacenters.
This vulnerability has been assigned the following CVE number:
โข CVE-2019-17366: Improper Access Control in Citrix Application Delivery Management Server.
This vulnerability affects the following product versions:
ยท Citrix Application Delivery Management version 12.0
ยท Citrix Application Delivery Management version 12.1 earlier than build 54.13
ยท Citrix Application Delivery Management Cloud version 13.0 earlier than build 41.20
This vulnerability has been addressed in the following version of Citrix Application Delivery Management:
Citrix has already updated all Citrix ADM deployed on Citrix Cloud to the latest version.
Customers running Citrix Application Delivery Management 12.0 should upgrade to a supported version.
Citrix recommends that customers affected by this vulnerability upgrade to a version of the Citrix Application Delivery Management that contains a fix for this issue as soon as normal patching schedule allows.
The latest on-premises version is available on the Citrix website at the following address:
<https://www.citrix.com/downloads/citrix-application-management>
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 โ Reporting Security Issues to Citrix
Date | Change |
---|---|
8th October 2019 | |
Initial Publication | |
9th October 2019 | CVE Added |
30th June 2020 | 12.0 Added to vulnerable versions |
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
36.9%