Description

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

The vulnerability has been assigned the following CVE number:

  • CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution

The vulnerability affects all supported product versions and all supported platforms:
  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Remediation

Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new firmware is available.

References

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

Mitigation Steps for CVE-2019-19781

Related Vulnerabilities

WordPress Plugin Fast Secure Contact Form Remote Code Execution (4.0.44)

OpenX arbitrary file upload

Drupal Core 4.6.x Arbitrary Code Execution (4.6.0 - 4.6.6)

WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)

PHP unserialize() used on user input

Severity

High

Classification

CVE-2019-19781 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution