CVE-2019-10959

CRITICAL

BD Alaris Gateway Workstation Firmware - Unrestricted File Upload

Title source: rule

Description

BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, 1.3.1 Build 13, This does not impact the latest firmware Versions 1.3.2 and 1.6.1, Additionally, the following products using software Version 2.3.6 and below, Alaris GS, Alaris GH, Alaris CC, Alaris TIVA, The application does not restrict the upload of malicious files during a firmware update.

References (3)

Core 3

Core References

Vendor Advisory

https://www.bd.com/en-us/support/product-security-and-privacy/product-security-bulletins/alaris-gateway-workstation-unauthorized-firmware

Mitigation, Third Party Advisory, US Government Resource x_refsource_misc

https://ics-cert.us-cert.gov/advisories/ICSMA-19-164-01

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108765

Scores

CVSS v3 10.0

EPSS 0.0106

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (8)

bd/alaris_cc_syringe_pump_firmware < 2.3.6

bd/alaris_gateway_workstation_firmware 1.1.3 10 (2 CPE variants)

bd/alaris_gateway_workstation_firmware 1.2 15

bd/alaris_gateway_workstation_firmware 1.3.0 14

bd/alaris_gateway_workstation_firmware 1.3.1 13

bd/alaris_gh_syringe_pump_firmware < 2.3.6

bd/alaris_gs_syringe_pump_firmware < 2.3.6

bd/alaris_tiva_syringe_pump_firmware < 2.3.6

Published Jun 13, 2019

Tracked Since Feb 18, 2026