Vulnerability Details : CVE-2015-5080
The Management Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.1 before 10.1.132.8, 10.5 before Build 56.15, and 10.5.e before Build 56.1505.e allows remote authenticated users to execute arbitrary shell commands via shell metacharacters in the filter parameter to rapi/ipsec_logs.
Products affected by CVE-2015-5080
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.5:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.120.1316.e:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.121:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.128:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.129:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.126:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.127:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.124:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.125:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.122:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.1.123:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_application_delivery_controller_firmware:10.5e:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.122:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.123:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.120.1316.e:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.121:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.128:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.129:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.126:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.127:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.124:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.1.125:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5.50.10:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5.51.10:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5:*:*:*:*:*:*:*
- cpe:2.3:o:citrix:netscaler_gateway_firmware:10.5e:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5080
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5080
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
CWE ids for CVE-2015-5080
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5080
-
http://support.citrix.com/article/CTX201149
CVE-2015-5080 - Vulnerability in Citrix NetScaler Application Deliver Controller and NetScaler Gateway Management Interface Could Result in Arbitrary Command Injection
-
http://security-assessment.com/files/documents/advisory/Citrix-Netscaler-Final.pdf
-
http://www.securitytracker.com/id/1032762
Citrix NetScaler ADC and NetScaler Gateway Lets Remote Authenticated Users Execute Arbitrary Shell Commands - SecurityTracker
-
http://www.securityfocus.com/bid/75505
Citrix NetScaler ADC and Gateway CVE-2015-5080 Arbitrary Command Injection Vulnerability
Jump to