CVE-2019-19100

Description

A privilege escalation vulnerability in the upgrade service in B&R Automation Studio versions 4.0.x, 4.1.x, 4.2.x, < 4.3.11SP, < 4.4.9SP, < 4.5.4SP, <. 4.6.3SP, < 4.7.2 and < 4.8.1 allow authenticated users to delete arbitrary files via an exposed interface.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Affected products

B&R / Automation Studio4.0.x – 4.0.x
B&R / Automation Studio4.1.x – 4.1.x
B&R / Automation Studio4.2.x – 4.2.x
B&R / Automation Studio< 4.3.11SP – < 4.3.11SP
B&R / Automation Studio< 4.4.9SP – < 4.4.9SP
B&R / Automation Studio< 4.5.4SP – < 4.5.4SP
B&R / Automation Studio< 4.6.3SP – < 4.6.3SP
B&R / Automation Studio< 4.7.2 – < 4.7.2
B&R / Automation Studio< 4.8.1 – < 4.8.1

References

MISChttps://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-in-automation-studio/