Description of Problem
CVE-ID | Description | CWE | Affected Products | Pre-conditions |
CVE-2020-8299 | Network-based denial-of-service from within the same Layer 2 network segment | CWE-400: Uncontrolled Resource Consumption | Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition | The attacker machine must be in the same Layer 2 network segment as the vulnerable appliance |
CVE-2020-8300 | SAML authentication hijack through a phishing attack to steal a valid user session | CWE-284: Improper access control | Citrix ADC, Citrix Gateway | Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP |
The following supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition are affected by CVE-2020-8299:
- Citrix ADC and Citrix Gateway 13.0 before 13.0-76.29
- Citrix ADC and Citrix Gateway 12.1 before 12.1-61.18
- Citrix ADC and NetScaler Gateway 11.1 before 65.20
- Citrix ADC 12.1-FIPS before 12.1-55.238
- Citrix SD-WAN WANOP Edition 11.4 before 11.4.0
- Citrix SD-WAN WANOP Edition 11.3 before 11.3.2
- Citrix SD-WAN WANOP Edition 11.3 before 11.3.1a
- Citrix SD-WAN WANOP Edition 11.2 before 11.2.3a
- Citrix SD-WAN WANOP Edition 11.1 before 11.1.2c
- Citrix SD-WAN WANOP Edition 10.2 before 10.2.9a
The following supported versions of Citrix ADC and Citrix Gateway are affected by CVE-2020-8300:
- Citrix ADC and Citrix Gateway 13.0. before 13.0-82.41
- Citrix ADC and Citrix Gateway 12.1 before 12.1-62.23
- Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.20
- Citrix ADC 12.1-FIPS before 12.1-55.238
These issues have already been addressed in Citrix-managed cloud services such as Citrix Gateway Service and Citrix Secure Workspace Access. Customers using Citrix-managed services do not need to take any additional action.