CVE-2024-8535 — Files or Directories Accessible to External Parties in ADC

CWE-552 — Files or Directories Accessible to External Parties CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-440 — Expected Behavior Violation3 documents3 sources

Severity

5.8MEDIUMNVD

EPSS

0.6%

top 30.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netscaler ADC Netscaler Gateway Citrix Netscaler Application Delivery Controller +5 more

Timeline

PublishedNov 12

Latest updateNov 14

Description

Authenticated user can access unintended user capabilities in NetScaler ADC and NetScaler Gateway if the appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) with KCDAccount configuration for Kerberos SSO to access backend resources OR the appliance must be configured as an Auth Server (AAA Vserver) with KCDAccount configuration for Kerberos SSO to access backend resources

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Affected Packages9 packages

▶NVDcitrix/netscaler_gateway12.1 — 13.1-55.34+1

▶CVEListV5netscaler/netscaler_gateway14.1 — 29.72+4

▶citrixcitrix/netscaler_gateway

▶CVEListV5netscaler/netscaler_adc14.1 — 29.72+4

▶NVDcitrix/netscaler_application_delivery_controller12.1 — 12.1-55.321+3

🔴Vulnerability Details

GHSA

GHSA-8xqq-wrhg-93q9: Authenticated user can access unintended user capabilities in NetScaler ADC and NetScaler Gateway if the appliance must be configured as a Gateway (SS↗2024-11-12

▶

📋Vendor Advisories

Citrix

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-8534 and CVE-2024-8535↗2024-11-14

▶