Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-5149

The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to provide high performance for all Internet applications without the penalties of Web server APIs. However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14).

Published

2020-03-11T22:27:40.583

Last Modified

2024-11-21T04:44:26.647

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	wago	pfc200_firmware	03.00.39\(12\)	Yes
Operating System	wago	pfc200_firmware	03.01.07\(13\)	Yes
Hardware	wago	pfc200	-	No
Operating System	wago	pfc100_firmware	03.00.39\(12\)	Yes
Operating System	wago	pfc100_firmware	03.01.07\(13\)	Yes
Hardware	wago	pfc100	-	No

References

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0939 Exploit, Third Party Advisory ([email protected])
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0939 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)