CVE-2009-2213
published 2009-06-25CVE-2009-2213: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and…
PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
2.02%
78.5th percentile
The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_access_gateway_firmware | <= 8.1 | — |
| citrix | netscaler_access_gateway_firmware | — | — |
| citrix | netscaler_access_gateway_firmware | — | — |
| citrix | netscaler_access_gateway_firmware | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_adc_gateway | — | — |
| citrix | netscaler_gateway | — | — |
| citrix | xenserver | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.06.3MEDIUMAV:N/AC:M/Au:S/C:C/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mqmq-69c9-vm4c: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9
ghsa_unreviewed·2022-05-02
CVE-2009-2213 [MEDIUM] CWE-863 GHSA-mqmq-69c9-vm4c: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9
The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.
Citrix
CVE-2009-2213: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1,
vendor_citrix·2009-06-25·CVSS 6.5
CVE-2009-2213 [MEDIUM] CWE-863 CVE-2009-2213: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1,
CVE-2009-2213: The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.
Citrix
Citrix Security Bulletin CTX118770
vendor_citrix·CVSS 6.5
CVE-2009-2213 [MEDIUM] Citrix Security Bulletin CTX118770
Citrix Security Bulletin CTX118770
CVE References: CVE-2009-2213, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Incorrect Authorization
mitre_cwe
CWE-863 Incorrect Authorization
CWE-863: Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups al
CWE
Improper Authorization
mitre_cwe
CWE-285 Improper Authorization
CWE-285: Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their
CWE
Improper Authentication
mitre_cwe
CWE-287 Improper Authentication
CWE-287: Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Integrity, Confidentiality, Availability, Access Control. Impact: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Detection Methods:
Automated Static Analysis: Automated static analysis is useful for de
CWE
Missing Authorization
mitre_cwe
CWE-862 Missing Authorization
CWE-862: Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Background: An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: "No access", "Read access", "Change access", and "Full control". Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions.
http://support.citrix.com/article/CTX118770http://www.securityfocus.com/bid/35422http://www.vupen.com/english/advisories/2009/1641https://exchange.xforce.ibmcloud.com/vulnerabilities/51274http://support.citrix.com/article/CTX118770http://www.securityfocus.com/bid/35422http://www.vupen.com/english/advisories/2009/1641https://exchange.xforce.ibmcloud.com/vulnerabilities/51274
2009-06-25
Published