9.4

CVE-2023-4966

Warnung
Medienbericht

Unauthenticated sensitive information disclosure

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CitrixNetscaler Application Delivery Controller SwEditionfips Version >= 12.1 < 12.1-55.300
CitrixNetscaler Application Delivery Controller SwEditionndcpp Version >= 12.1 < 12.1-55.300
CitrixNetscaler Application Delivery Controller SwEdition- Version >= 13.0 < 13.0-92.19
CitrixNetscaler Application Delivery Controller SwEditionfips Version >= 13.1 < 13.1-37.164
CitrixNetscaler Application Delivery Controller SwEdition- Version >= 13.1 < 13.1-49.15
CitrixNetscaler Application Delivery Controller SwEdition- Version >= 14.1 < 14.1-8.50
CitrixNetScaler Gateway Version >= 13.0 < 13.0-92.19
CitrixNetScaler Gateway Version >= 13.1 < 13.1-49.15
CitrixNetScaler Gateway Version >= 14.1 < 14.1-8.50

18.10.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability

Schwachstelle

Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Beschreibung

Apply mitigations and kill all active and persistent sessions per vendor instructions [https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/] OR discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 100% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
secure@citrix.com 9.4 3.9 5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
01.04.2026 09:30
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
25.03.2026 17:08
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
24.03.2026 08:23
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
19.03.2026 15:51
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
09.08.2025 11:36
http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.html
Third Party Advisory
VDB Entry
https://support.citrix.com/article/CTX579459
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4966
US Government Resource