CVE-2019-5135

CWE-327 — Broken Cryptographic Algorithm CWE-2033 documents3 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 62.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wago Wago Pfc100 Firmware Wago Wago Pfc200 Firmware Wago Pfc100 Firmware +1 more

Timeline

PublishedMar 11

Latest updateMay 24

Description

An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO PFC100/200 controllers. The WBM application makes use of the PHP crypt() function which can be exploited to disclose hashed user credentials. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDwago/pfc100_firmware03.00.39\(12\)

▶CVEListV5wago/wago_pfc100_firmwareversion 03.00.39(12)

▶NVDwago/pfc200_firmware03.00.39\(12\), 03.01.07\(13\)+1

▶CVEListV5wago/wago_pfc200_firmwareversion 03.00.39(12), version 03.01.07(13)+1

🔴Vulnerability Details

GHSA

GHSA-pgq5-f878-vwpf: An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO P↗2022-05-24

▶

CVEList

CVE-2019-5135: An exploitable timing discrepancy vulnerability exists in the authentication functionality of the Web-Based Management (WBM) web application on WAGO P↗2020-03-10

▶