Vulnerability Name: CVE-2019-6485 (CCN-157507) Assigned: 2019-01-23 Published: 2019-01-23 Updated: 2020-08-24 Summary: Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 allow remote attackers to obtain sensitive plaintext information because of a TLS Padding Oracle Vulnerability when CBC-based cipher suites are enabled. CVSS v3 Severity: 5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
5.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 5.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-327 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2019-6485 106783 citrix-netscaler-cve20196485-info-disc(157507) https://github.com/RUB-NDS/TLS-Padding-Oracles TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway https://support.citrix.com/article/CTX240139 IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) Citrix NetScaler Gateway TLS Padding Oracle Vulnerability (CTX240139) Vulnerable Configuration: Configuration 1 :cpe:/o:citrix:netscaler_gateway_firmware:10.5:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:11.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:11.1:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:12.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:12.1:*:*:*:*:*:*:* AND cpe:/h:citrix:netscaler_gateway:-:*:*:*:*:*:*:* Configuration 2 :cpe:/o:citrix:netscaler_application_delivery_controller_firmware:10.5:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:11.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:11.1:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:12.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:12.1:*:*:*:*:*:*:* AND cpe:/h:citrix:netscaler_application_delivery_controller:-:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:citrix:netscaler_application_delivery_controller:10.5e:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:10.5:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:11.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:11.1:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:12.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:10.5e:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:10.5:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:11.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:11.1:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:12.0:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_gateway_firmware:12.1:*:*:*:*:*:*:* OR cpe:/o:citrix:netscaler_application_delivery_controller_firmware:12.1:*:*:*:*:*:*:* BACK
citrix netscaler gateway firmware 10.5
citrix netscaler gateway firmware 11.0
citrix netscaler gateway firmware 11.1
citrix netscaler gateway firmware 12.0
citrix netscaler gateway firmware 12.1
citrix netscaler gateway -
citrix netscaler application delivery controller firmware 10.5
citrix netscaler application delivery controller firmware 11.0
citrix netscaler application delivery controller firmware 11.1
citrix netscaler application delivery controller firmware 12.0
citrix netscaler application delivery controller firmware 12.1
citrix netscaler application delivery controller -
citrix netscaler application delivery controller 10.5e
citrix netscaler application delivery controller firmware 10.5
citrix netscaler application delivery controller firmware 11.0
citrix netscaler application delivery controller firmware 11.1
citrix netscaler application delivery controller firmware 12.0
citrix netscaler gateway firmware 10.5e
citrix netscaler gateway firmware 10.5
citrix netscaler gateway firmware 11.0
citrix netscaler gateway firmware 11.1
citrix netscaler gateway firmware 12.0
citrix netscaler gateway firmware 12.1
citrix netscaler application delivery controller firmware 12.1
Denotes that component is vulnerable