CVE-2019-10990 – Red Lion Crimson Hard-coded Cryptographic Key Information Disclosure Vulnerability

https://notcve.org/view.php?id=CVE-2019-10990

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files. Red Lion Controls Crimson, versión 3.0 y anterior y versión 3.1 anterior a la publicación 3112.00, utiliza una contraseña embebida para encriptar archivos protegidos en tránsito y en reposo, lo que puede permitir a un atacante acceder a los archivos de configuración. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Red Lion Crimson. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CTextStreamMemory class. The class contains hard-coded secrets in clear text. • https://www.us-cert.gov/ics/advisories/icsa-19-248-01 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •