A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website.
This vulnerability has the following identifier:
CVE-ID |
Description |
CWE |
Pre-conditions |
CVE-2022-27509 |
Unauthenticated redirection to a malicious website |
CWE-345: Insufficient Verification of Data Authenticity
|
Appliance must be configured as a VPN (Gateway) or AAA virtual server
A victim user must use an attacker-crafted link |
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway 13.1 before 13.1-24.38
Citrix ADC and Citrix Gateway 13.0 before 13.0-86.17
Citrix ADC and Citrix Gateway 12.1 before 12.1-65.15
Citrix ADC 12.1-FIPS before 12.1-55.282
Citrix ADC 12.1-NDcPP before 12.1-55.282
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.
Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
Citrix ADC and Citrix Gateway 13.1-24.38 and later releases
Citrix ADC and Citrix Gateway 13.0-86.17 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-65.15 and later releases of 12.1
Citrix ADC 12.1-FIPS 12.1-55.282 and later releases of 12.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.282 and later releases of 12.1-NDcPP
Note: Customers who have previously copied the httpd.conf file to the /nsconfig directory must follow the steps at URL to ensure this security update is correctly installed.
Date | Change |
2022-07-26 | Initial Publication |