Citrix Addresses Another Critical Vulnerability Resembling Citrix Bleed

Citrix Bleed has been identified as a critical information disclosure vulnerability with a CVSS score of 9.4/10. This vulnerability affects the NetScaler ADC and Gateway appliances when configured as a Gateway or AAA virtual server. Unlike CVE-2023-4966, Citrix Bleed does not expose highly sensitive data to attackers.

Although Citrix has not assigned a CVE ID to this vulnerability, it was fixed in NetScaler version 13.1-51.15. Citrix is believed to have quietly addressed the issue without public disclosure. Bishop Fox advises users to update to version 13.1-51.15 or later to mitigate this vulnerability.

The bug allows attackers to potentially access sensitive data from memory, with cases where POST request bodies containing credentials or cookies are leaked. It is uncertain whether Citrix had privately disclosed this vulnerability to customers or acknowledged Bishop Fox’s findings as a security flaw.

Article Source
https://www.csoonline.com/article/2098805/citrix-quietly-fixes-a-new-critical-vulnerability-similar-to-citrix-bleed.html