Medium
CVE-2019-19100
A privilege escalation vulnerability in the upgrade service in B&R Automation Studio could allow authenticated users to delete arbitrary files via an exposed interface.
CVE-2019-19101
A missing secure communication definition and an incomplete TLS validation in the upgrade service in B&R Automation Studio enable unauthenticated users to perform MITM attacks via the B&R upgrade server.
CVE-2019-19102
A directory traversal vulnerability in SharpZipLib used in the upgrade service in B&R Automation Studio allow unauthenticated users to write to certain local directories. The vulnerability is also known as “zip slip.”
B&R Automation
Automation Studio
Refer to ICS advisory for the complete list of affected products and updates.