CVE-2019-6485

22.02.2019, 23:29

Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 allow remote attackers to obtain sensitive plaintext information because of a TLS Padding Oracle Vulnerability when CBC-based cipher suites are enabled.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Vendor	Product	Version
citrix	netscaler_gateway_firmware	10.5
citrix	netscaler_gateway_firmware	11.0
citrix	netscaler_gateway_firmware	11.1
citrix	netscaler_gateway_firmware	12.0
citrix	netscaler_gateway_firmware	12.1
citrix	netscaler_application_delivery_controller_firmware	10.5
citrix	netscaler_application_delivery_controller_firmware	11.0
citrix	netscaler_application_delivery_controller_firmware	11.1
citrix	netscaler_application_delivery_controller_firmware	12.0
citrix	netscaler_application_delivery_controller_firmware	12.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

References

http://www.securityfocus.com/bid/106783

https://github.com/RUB-NDS/TLS-Padding-Oracles

https://support.citrix.com/article/CTX240139

http://www.securityfocus.com/bid/106783

https://github.com/RUB-NDS/TLS-Padding-Oracles

https://support.citrix.com/article/CTX240139