Lucene search

JciCVELIST:CVE-2021-36202

HistoryApr 07, 2022 - 7:12 p.m.

CVE-2021-36202 Metasys UI

2022-04-0719:12:48

CWE-918

jci

www.cve.org

cve-2021-36202

metasys ui

ssrf

johnson controls

mui pdf export

vulnerability

code injection

authentication

version 10.1.5

version 11.0.2

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.

CNA Affected

[
  {
    "product": "Metasys",
    "vendor": "Johnson Controls",
    "versions": [
      {
        "lessThan": "10.1.5",
        "status": "affected",
        "version": "All 10 versions",
        "versionType": "custom"
      },
      {
        "lessThan": "11.0.2",
        "status": "affected",
        "version": "All 11 versions",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-22-095-02

www.johnsoncontrols.com/cyber-solutions/security-advisories

CVSS3

8.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVELIST:CVE-2021-36202