CVE-2019-19101
29.04.2020, 03:15
A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.5SP, < 4.6.4 and < 4.7.2 enable unauthenticated users to perform MITM attacks via the B&R upgrade server.Enginsight
| Vendor | Product | Version |
|---|---|---|
| br-automation | automation_studio | 4.0 ≤ 𝑥 ≤ 4.0.29.87 |
| br-automation | automation_studio | 4.1 ≤ 𝑥 ≤ 4.1.17.113 |
| br-automation | automation_studio | 4.2 ≤ 𝑥 ≤ 4.2.14.119 |
| br-automation | automation_studio | 4.3 ≤ 𝑥 < 4.3.11 |
| br-automation | automation_studio | 4.4 ≤ 𝑥 < 4.4.9 |
| br-automation | automation_studio | 4.5 ≤ 𝑥 < 4.5.5 |
| br-automation | automation_studio | 4.6 ≤ 𝑥 < 4.6.4 |
| br-automation | automation_studio | 4.7 ≤ 𝑥 < 4.7.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-326 - Inadequate Encryption StrengthThe software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
- CWE-295 - Improper Certificate ValidationThe software does not validate, or incorrectly validates, a certificate.