CVE-2019-19100 : A privilege escalation vulnerability in the upgrade service in B&R Automation St

A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. 4.6.3SP, < 4.7.2 and < 4.8.1 allow authenticated users to delete arbitrary files via an exposed interface.

Published 2020-04-29 03:15:17

Updated 2021-09-14 14:00:53

Source Asea Brown Boveri Ltd. (ABB)

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2019-19100

Br-automation » Automation Studio
Versions from including (>=) 4.4 and before (<) 4.4.9
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.1 and up to, including, (<=) 4.1.17.113
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.0 and up to, including, (<=) 4.0.29.87
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.6 and before (<) 4.6.3
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.7 and before (<) 4.7.2
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.3 and before (<) 4.3.11
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.2 and up to, including, (<=) 4.2.14.119
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio
Versions from including (>=) 4.5 and before (<) 4.5.4
cpe:2.3:a:br-automation:automation_studio:*:*:*:*:*:*:*:*
Matching versions
Br-automation » Automation Studio » Version: 4.8
cpe:2.3:a:br-automation:automation_studio:4.8:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-19100

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-19100

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:P	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H	1.1	5.8	Asea Brown Boveri Ltd. (ABB)
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: High Availability: High
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	1.8	5.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2019-19100

CWE-264

Assigned by: cybersecurity@ch.abb.com (Secondary)

References for CVE-2019-19100

https://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-in-automation-studio/

#03/2020 - Multiple Vulnerabilities in Automation Studio | B&R Industrial Automation
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-19100

Products affected by CVE-2019-19100

Exploit prediction scoring system (EPSS) score for CVE-2019-19100

CVSS scores for CVE-2019-19100

CWE ids for CVE-2019-19100

References for CVE-2019-19100