CVE-2021-22927 — Session Fixation in Citrix Application Delivery Controller Firmware

CWE-384 — Session Fixation CWE-284 — Improper Access Control CWE-400 — Uncontrolled Resource Consumption4 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.3%

top 49.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Citrix Application Delivery Controller Firmware Citrix Gateway Citrix Netscaler Gateway +7 more

Timeline

PublishedAug 5

Latest updateMay 24

Description

A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages11 packages

▶NVDcitrix/gateway12.1 — 12.1-62.27+1

▶NVDcitrix/netscaler_gateway11.1 — 11.1-65.22

▶citrixcitrix/citrix_gateway

▶citrixcitrix/netscaler_gateway

▶NVDcitrix/application_delivery_controller_firmware11.1 — 11.1-65.22+3

🔴Vulnerability Details

GHSA

GHSA-j95v-2qpj-v897: A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13↗2022-05-24

▶

📋Vendor Advisories

Citrix

CVE-2021-22927: A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker↗2021-08-05

▶

Citrix

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update↗2021-07-19

▶