CVE-2019-3938

CVE-2019-3938

Vendor Crestron
Product Crestron AirMedia
Weakness CWE-522 · Insufficiently protected credentials
Published April 30, 2019
Last update August 4, 2024

CVSS base score

What the vulnerability does

01Description

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 stores usernames, passwords, and other configuration options in the file generated via the "export configuration" feature. The configuration file is encrypted using the awenc binary. The same binary can be used to decrypt any configuration file since all the encryption logic is hard coded. A local attacker can use this vulnerability to gain access to devices username and passwords.

Key dates

02Disclosure timeline

April 30, 2019 CVE published
August 4, 2024 Record updated