6.5

CVE-2019-19101

Incomplete communication encryption and validation in B&R Automation Studio upgrade service

A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Br-automationAutomation Studio Version >= 4.0 <= 4.0.29.87
Br-automationAutomation Studio Version >= 4.1 <= 4.1.17.113
Br-automationAutomation Studio Version >= 4.2 <= 4.2.14.119
Br-automationAutomation Studio Version >= 4.3 < 4.3.11
Br-automationAutomation Studio Version >= 4.4 < 4.4.9
Br-automationAutomation Studio Version >= 4.5 < 4.5.5
Br-automationAutomation Studio Version >= 4.6 < 4.6.4
Br-automationAutomation Studio Version >= 4.7 < 4.7.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.397
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
cybersecurity@ch.abb.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-in-automation-studio/
Vendor Advisory
Broken Link