CVE-2021-22919 : A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler A

A vulnerability has been discovered in Citrix ADC (formerly known as NetScaler ADC) and Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could lead to the limited available disk space on the appliances being fully consumed.

Published 2021-08-05 21:15:11

Updated 2021-08-16 16:54:36

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2021-22919

Citrix » Application Delivery Controller Firmware
Versions from including (>=) 12.1 and before (<) 12.1-62.27
cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Application Delivery Controller » Version: N/A
Citrix » Application Delivery Controller Firmware
Versions from including (>=) 12.1 and before (<) 12.1-55.238
cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Mpx/sdx 14030 Fips » Version: N/A
When used together with: Citrix » Mpx/sdx 14060 Fips » Version: N/A
When used together with: Citrix » Mpx/sdx 14080 Fips » Version: N/A
When used together with: Citrix » Mpx 15030-50g Fips » Version: N/A
When used together with: Citrix » Mpx 15040-50g Fips » Version: N/A
When used together with: Citrix » Mpx 15060-50g Fips » Version: N/A
When used together with: Citrix » Mpx 15080-50g Fips » Version: N/A
When used together with: Citrix » Mpx 15100-50g Fips » Version: N/A
When used together with: Citrix » Mpx 15120-50g Fips » Version: N/A
When used together with: Citrix » Mpx 8905 Fips » Version: N/A
When used together with: Citrix » Mpx 8910 Fips » Version: N/A
When used together with: Citrix » Mpx 8920 Fips » Version: N/A
Citrix » Application Delivery Controller Firmware
Versions from including (>=) 11.1 and before (<) 11.1-65.22
cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Application Delivery Controller » Version: N/A
Citrix » Application Delivery Controller Firmware
Versions from including (>=) 13.0 and before (<) 13.0-82.45
cpe:2.3:o:citrix:application_delivery_controller_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » Application Delivery Controller » Version: N/A
Citrix » Netscaler Gateway
Versions from including (>=) 11.1 and before (<) 11.1-65.22
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
Matching versions
Citrix » Sd-wan Wanop
Versions from including (>=) 11.2 and before (<) 11.2.3.b
cpe:2.3:o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » 4000-wo » Version: N/A
When used together with: Citrix » 4100-wo » Version: N/A
When used together with: Citrix » 5000-wo » Version: N/A
When used together with: Citrix » 5100-wo » Version: N/A
Citrix » Sd-wan Wanop
Versions from including (>=) 10.2 and before (<) 10.2.9.b
cpe:2.3:o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » 4000-wo » Version: N/A
When used together with: Citrix » 4100-wo » Version: N/A
When used together with: Citrix » 5000-wo » Version: N/A
When used together with: Citrix » 5100-wo » Version: N/A
Citrix » Sd-wan Wanop
Versions from including (>=) 11.3 and before (<) 11.3.2.a
cpe:2.3:o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » 4000-wo » Version: N/A
When used together with: Citrix » 4100-wo » Version: N/A
When used together with: Citrix » 5000-wo » Version: N/A
When used together with: Citrix » 5100-wo » Version: N/A
Citrix » Sd-wan Wanop
Versions from including (>=) 11.4 and before (<) 11.4.0.a
cpe:2.3:o:citrix:sd-wan_wanop:*:*:*:*:*:*:*:*
Matching versions
When used together with: Citrix » 4000-wo » Version: N/A
When used together with: Citrix » 4100-wo » Version: N/A
When used together with: Citrix » 5000-wo » Version: N/A
When used together with: Citrix » 5100-wo » Version: N/A
Citrix » Gateway
Versions from including (>=) 12.1 and before (<) 12.1-62.27
cpe:2.3:a:citrix:gateway:*:*:*:*:*:*:*:*
Matching versions
Citrix » Gateway
Versions from including (>=) 13.0 and before (<) 13.0-82.45
cpe:2.3:a:citrix:gateway:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-22919

EPSS FAQ

0.70%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22919

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-22919

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Assigned by:
- nvd@nist.gov (Primary)
- support@hackerone.com (Secondary)

References for CVE-2021-22919

https://support.citrix.com/article/CTX319135

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-22919

Products affected by CVE-2021-22919

Exploit prediction scoring system (EPSS) score for CVE-2021-22919

CVSS scores for CVE-2021-22919

CWE ids for CVE-2021-22919

References for CVE-2021-22919