CVE-2015-3642 | Citrix Netscaler Application Delivery Controller information disclosure (ID 38604)

CVSS Meta Temp Score CVSS is a exchangeable score organization to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The singular Meta Score calculates the average score of different sources to provide a normalize score system . Current Exploit Price ( โ‰ˆ ) Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The rate indicates the observe or calculate overwork price to be seen on overwork markets. A good indicator to understand the monetary attempt required for and the popularity of an attack . CTI Interest Score Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the concern of attackers and the security community for this specific vulnerability in real-time. A eminent mark indicates an lift hazard to be targeted for this vulnerability.

5.7 $0-$5k 0.00

A vulnerability was found in Citrix Netscaler Application Delivery Controller 9.3/10.0/10.1 ( Network Management Software ) and classified as critical. Affected by this return is an unknown code stuff. The manipulation with an strange stimulation leads to a information disclosure vulnerability. Using CWE to declare the trouble leads to CWE-200. Impacted is confidentiality, integrity, and handiness. CVE summarizes :

The TLS and DTLS processing functionality in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway devices with firmware 9.x before 9.3 Build 68.5, 10.0 through Build 78.6, 10.1 before Build 130.13, 10.1.e before Build 130.1302.e, 10.5 before Build 55.8, and 10.5.e before Build 55.8007.e makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).

The tease was discovered 01/20/2015. The weakness was shared 08/02/2017 ( Website ). The advisory is available at This vulnerability is handled as CVE-2015-3642 since 05/04/2015. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are nameless and an exploit is not available. The structure of the vulnerability defines a potential price range of USD $ 0- $ 5k at the moment ( appraisal calculated on 11/03/2019 ). The vulnerability was handled as a non-public zero-day exploit for at least 925 days. During that time the estimated belowground price was around $ 5k- $ 25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 38604 ( TLS CBC Incorrect Padding Abuse Vulnerability ). There is no information about possible countermeasures known. It may be suggested to replace the involve object with an alternative intersection .


Type Vendor Name

CPE 2.3infoedit

CPE 2.2infoedit


VulDB Meta Base Score: 5.7
VulDB Meta Temp Score: 5.7

VulDB Base Score: 5.6
VulDB Temp Score: 5.6
VulDB Vector:
VulDB Reliability:

NVD Base Score: 5.9
NVD Vector:


๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ”
๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ”
๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ” ๐Ÿ”
Vector Complexity Authentication Confidentiality Integrity Availability
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock
unlock unlock unlock unlock unlock unlock

VulDB Base Score:
VulDB Temp Score:
VulDB Reliability:

NVD Base Score:


class: Information disclosure
CWE: CWE-200
ATT & CK: Unknown

local: No
Remote: Yes

status: Not defined
price prediction:
stream Price estimate:

0-Day unlock unlock unlock unlock
Today unlock unlock unlock unlock

Qualys ID:
Qualys Name


Threat Intelligenceinfoedit

active voice Actors:
active APT Groups:


Recommended: no mitigation known

0-Day time:


05/04/2015 +104 days
08/02/2017 +821 days
08/02/2017 +0 days
08/03/2017 +1 days
11/03/2019 +822 days



condition: Not defined

CVE: CVE-2015-3642 (


Created: 08/03/2017 10:25
Updated: 11/03/2019 10:12
Changes: (2) vulnerability_discoverydate advisory_confirm_url

: 5.7 : 5.7 : information disclosure : strange : No : yes : not defined : no extenuation known : not defined : 08/03/2017 10:25 : 11/03/2019 10:12

Might our Artificial Intelligence support you?

Check our Alexa App !

reference :
Category : crypto topics

Leave a Reply

Your email address will not be published.