CVE-2019-19104

Published: Apr 22, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The web server in ABB Telephone Gateway TG/S 3.2 and Busch-Jaeger 6186/11 Telefon-Gateway allows access to different endpoints of the application without authenticating by accessing a specific uniform resource locator (URL) , violating the access-control (ACL) rules. This issue allows obtaining sensitive information that may aid in further attacks and privilege escalation.

Affected (2)

Products: Abb: Tg/s3.2 Firmware · Busch Jaeger: 6186/11 Firmware

1 product

Tg/s3.2 Firmware

1 product

6186/11 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Abb Tg/s3.2 Firmware	All versions

Running on/with	Platform Versions
Abb Tg/s3.2	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Busch Jaeger 6186/11 Firmware	All versions

Running on/with	Platform Versions
Busch Jaeger 6186/11	All versions

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&LanguageCode=en&DocumentPartId=&Action=Launch

Source: cybersecurity@ch.abb.com

Vendor Advisory

https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&LanguageCode=en&DocumentPartId=&Action=Launch

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.