Lucene search

JciCVELIST:CVE-2020-9050

HistoryFeb 19, 2021 - 5:12 p.m.

CVE-2020-9050 Metasys Reporting Engine (MRE) Web Services - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

2021-02-1917:12:36

jci

www.cve.org

security vulnerability

metasys reporting engine

path traversal

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

70.3%

JSON

Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated attacker to access and download arbitrary files from the system.

CNA Affected

[
  {
    "product": "Metasys Reporting Engine (MRE) Web Services versions 2.0 and 2.1",
    "vendor": "Johnson Controls",
    "versions": [
      {
        "status": "affected",
        "version": "2.0"
      },
      {
        "status": "affected",
        "version": "2.1"
      }
    ]
  }
]

References

www.johnsoncontrols.com/cyber-solutions/security-advisories

www.us-cert.gov/ics/advisories/icsa-21-049-01

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

70.3%

JSON

Related for CVELIST:CVE-2020-9050