A vulnerability, which was classified as problematic, was found in Red Lion Controls Crimson up to 3.1. This affects an unknown function of the component Configuration File Handler. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. CWE is classifying the issue as CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. This is going to have an impact on confidentiality. The summary by CVE is:

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

The weakness was shared 09/23/2019. This vulnerability is uniquely identified as CVE-2019-10990 since 04/08/2019. The exploitability is told to be difficult. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1110.001 for this issue.

Applying the patch 3.1 3112.00 is able to eliminate this problem.

The entries VDB-142150, VDB-142148 and VDB-142147 are related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Red Lion

Name

• Controls Crimson

Version

• 3.0
• 3.1

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion