Lucene search

JciCVE-2021-36200

HistoryJul 22, 2022 - 3:15 p.m.

CVE-2021-36200

2022-07-2215:15:07

CWE-306

jci

web.nvd.nist.gov

1384

cve-2021-36200

metasys

web api

unauthenticated access

user enumeration

security vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

34.5%

JSON

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.

Affected configurations

Nvd

Node

johnsoncontrolsmetasys_application_and_data_serverRange10.0–10.1.6

johnsoncontrolsmetasys_application_and_data_serverRange11.0–11.0.2

johnsoncontrolsmetasys_extended_application_and_data_serverRange10.0–10.1.6

johnsoncontrolsmetasys_extended_application_and_data_serverRange11.0–11.0.2

johnsoncontrolsmetasys_open_application_serverRange10.0–10.1.6

johnsoncontrolsmetasys_open_application_serverRange11.0–11.0.2

VendorProductVersionCPE
johnsoncontrolsmetasys_application_and_data_server*cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*
johnsoncontrolsmetasys_extended_application_and_data_server*cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*
johnsoncontrolsmetasys_open_application_server*cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
johnsoncontrols	metasys_application_and_data_server	*	cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server::::::::
johnsoncontrols	metasys_extended_application_and_data_server	*	cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server::::::::
johnsoncontrols	metasys_open_application_server	*	cpe:2.3:a:johnsoncontrols:metasys_open_application_server::::::::

CNA Affected

[
  {
    "product": "Metasys ADS/ADX/OAS server",
    "vendor": "Johnson Controls",
    "versions": [
      {
        "lessThan": "10.1.6",
        "status": "affected",
        "version": "All 10 versions",
        "versionType": "custom"
      },
      {
        "lessThan": "11.0.2",
        "status": "affected",
        "version": "All 11 versions",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-22-202-02

www.johnsoncontrols.com/cyber-solutions/security-advisories

Social References

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

34.5%

JSON

Related for CVE-2021-36200