{"api_version":"1","generated_at":"2026-04-23T06:18:50+00:00","cve":"CVE-2001-0908","urls":{"html":"https://cve.report/CVE-2001-0908","api":"https://cve.report/api/cve/CVE-2001-0908.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2001-0908","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2001-0908"},"summary":{"title":"CVE-2001-0908","description":"CITRIX Metaframe 1.8 logs the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through Network Address Translation (NAT).","state":"PUBLISHED","assigner":"mitre","published_at":"2001-11-21 05:00:00","updated_at":"2025-04-03 01:03:51"},"problem_types":["NVD-CWE-Other","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://www.securityfocus.com/bid/3566","name":"http://www.securityfocus.com/bid/3566","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"504 Gateway Time-out","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://marc.info/?l=bugtraq&m=100638693315933&w=2","name":"http://marc.info/?l=bugtraq&m=100638693315933&w=2","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/7538","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/7538","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2001-0908","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2001-0908","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2001","cve_id":"908","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"citrix","cpe5":"metaframe","cpe6":"1.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-08T04:37:06.655Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"win-terminal-spoof-address(7538)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/7538"},{"name":"20011121 CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://marc.info/?l=bugtraq&m=100638693315933&w=2"},{"name":"3566","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/3566"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2001-11-21T00:00:00.000Z","descriptions":[{"lang":"en","value":"CITRIX Metaframe 1.8 logs the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through Network Address Translation (NAT)."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-12-18T21:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"win-terminal-spoof-address(7538)","tags":["vdb-entry","x_refsource_XF"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/7538"},{"name":"20011121 CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://marc.info/?l=bugtraq&m=100638693315933&w=2"},{"name":"3566","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/3566"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2001-0908","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"CITRIX Metaframe 1.8 logs the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through Network Address Translation (NAT)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"win-terminal-spoof-address(7538)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/7538"},{"name":"20011121 CITRIX & Microsoft Windows Terminal Services False IP Address Vulnerability","refsource":"BUGTRAQ","url":"http://marc.info/?l=bugtraq&m=100638693315933&w=2"},{"name":"3566","refsource":"BID","url":"http://www.securityfocus.com/bid/3566"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2001-0908","datePublished":"2002-02-02T05:00:00.000Z","dateReserved":"2002-01-31T00:00:00.000Z","dateUpdated":"2024-08-08T04:37:06.655Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2001-11-21 05:00:00","lastModifiedDate":"2025-04-03 01:03:51","problem_types":["NVD-CWE-Other","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":true,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:citrix:metaframe:1.8:*:*:*:*:*:*:*","matchCriteriaId":"9000244E-D977-4EB9-B05D-64494329029B"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2001","CveId":"908","Ordinal":"1","Title":"CVE-2001-0908","CVE":"CVE-2001-0908","Year":"2001"},"notes":[{"CveYear":"2001","CveId":"908","Ordinal":"1","NoteData":"CITRIX Metaframe 1.8 logs the Client Address (IP address) that is provided by the client instead of obtaining it from the packet headers, which allows clients to spoof their public IP address, e.g. through Network Address Translation (NAT).","Type":"Description","Title":"CVE-2001-0908"},{"CveYear":"2001","CveId":"908","Ordinal":"2","NoteData":"2002-02-02","Type":"Other","Title":"Published"},{"CveYear":"2001","CveId":"908","Ordinal":"3","NoteData":"2017-12-18","Type":"Other","Title":"Modified"}]}}}