CVE-2019-10990 - Vulnerability Details - OpenCVE

Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redlion	Crimson

Configuration 1 [-]

OR	cpe:2.3:a:redlion:crimson::::::::
	cpe:2.3:a:redlion:crimson::::::::

No data.

References

Link	Providers
https://www.us-cert.gov/ics/advisories/icsa-19-248-01

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2019-09-23T15:46:43.000Z

Updated: 2026-06-02T20:07:19.166Z

Reserved: 2019-04-08T00:00:00.000Z

Link: CVE-2019-10990

Vulnrichment

Updated: 2024-08-04T22:40:15.501Z

NVD

Status : Modified

Published: 2019-09-23T16:15:14.837

Modified: 2026-06-02T21:16:23.030

Link: CVE-2019-10990

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Red Lion Controls Crimson (Windows configuration software)", "vendor": "n/a", "versions": [{"status": "affected", "version": "Version 3.0 and prior, Version 3.1 prior to release 3112.00"}]}], "descriptions": [{"lang": "en", "value": "Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-09-23T15:46:43.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2019-10990", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Red Lion Controls Crimson (Windows configuration software)", "version": {"version_data": [{"version_value": "Version 3.0 and prior, Version 3.1 prior to release 3112.00"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321"}]}]}, "references": {"reference_data": [{"name": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:15.501Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-02T20:06:57.948254Z", "id": "CVE-2019-10990", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T20:07:19.166Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2019-10990", "datePublished": "2019-09-23T15:46:43.000Z", "dateReserved": "2019-04-08T00:00:00.000Z", "dateUpdated": "2026-06-02T20:07:19.166Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:15.501Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-10990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-02T20:06:57.948254Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T20:06:51.396Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "Red Lion Controls Crimson (Windows configuration software)", "versions": [{"status": "affected", "version": "Version 3.0 and prior, Version 3.1 prior to release 3112.00"}]}], "references": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2019-09-23T15:46:43.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "Version 3.0 and prior, Version 3.1 prior to release 3112.00"}]}, "product_name": "Red Lion Controls Crimson (Windows configuration software)"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01", "name": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-10990", "STATE": "PUBLIC", "ASSIGNER": "ics-cert@hq.dhs.gov"}}}}, "cveMetadata": {"cveId": "CVE-2019-10990", "state": "PUBLISHED", "dateUpdated": "2026-06-02T20:07:19.166Z", "dateReserved": "2019-04-08T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2019-09-23T15:46:43.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redlion:crimson:*:*:*:*:*:*:*:*", "matchCriteriaId": "20C9472F-1425-468D-86E7-C91BCA30692D", "versionEndIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redlion:crimson:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDDEB3A0-80D0-4A18-8F21-1BE069654E73", "versionEndExcluding": "3112.00", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Red Lion Controls Crimson, version 3.0 and prior and version 3.1 prior to release 3112.00, uses a hard-coded password to encrypt protected files in transit and at rest, which may allow an attacker to access configuration files."}, {"lang": "es", "value": "Red Lion Controls Crimson, versi\u00f3n 3.0 y anterior y versi\u00f3n 3.1 anterior a la publicaci\u00f3n 3112.00, utiliza una contrase\u00f1a embebida para encriptar archivos protegidos en tr\u00e1nsito y en reposo, lo que puede permitir a un atacante acceder a los archivos de configuraci\u00f3n."}], "id": "CVE-2019-10990", "lastModified": "2026-06-02T21:16:23.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2019-09-23T16:15:14.837", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.us-cert.gov/ics/advisories/icsa-19-248-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}