Main Vulnerability Database Vulnerabilities #VU26606

#VU26606 Path traversal in Automation Studio - CVE-2019-19102

Published: April 6, 2020

Vulnerability identifier: #VU26606

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-19102

CWE-ID: CWE-22

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Automation Studio

Software vendor:
B&R Industrial Automation GmbH

Description

The vulnerability allows a local attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in SharpZipLib used in the upgrade service. A local attacker can send a specially crafted HTTP request and read arbitrary files on the system.

This vulnerability affects the following versions:

Automation Studio, Versions 4.0.x

Automation Studio, Versions 4.1.x

Automation Studio, Versions 4.2.x

Automation Studio, versions prior to 4.3.11SP

Automation Studio, versions prior to 4.4.9SP

Automation Studio, versions prior to 4.5.4SP

Automation Studio, versions prior to 4.6.3SP

Automation Studio, versions prior to 4.7.2

Automation Studio, versions prior to 4.8.1

Remediation

Install update from vendor's website.

#VU26606 Path traversal in Automation Studio - CVE-2019-19102

Description

Remediation

External links

Please verify you're human