CVE-2021-36204

2023-01-1321:15:15

CWE-522

[email protected]

web.nvd.nist.gov

johnson controls

metasys

credentials

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

51.6%

JSON

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

Affected configurations

Nvd

Node

johnsoncontrolsmetasys_application_and_data_serverRange10.0–10.1.6

johnsoncontrolsmetasys_application_and_data_serverRange11.0–11.0.3

johnsoncontrolsmetasys_extended_application_and_data_serverRange10.0–10.1.6

johnsoncontrolsmetasys_extended_application_and_data_serverRange11.0–11.0.3

johnsoncontrolsmetasys_open_application_serverRange10.0–10.1.6

johnsoncontrolsmetasys_open_application_serverRange11.0–11.0.3

VendorProductVersionCPE
johnsoncontrolsmetasys_application_and_data_server*cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*
johnsoncontrolsmetasys_extended_application_and_data_server*cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*
johnsoncontrolsmetasys_open_application_server*cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
johnsoncontrols	metasys_application_and_data_server	*	cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server::::::::
johnsoncontrols	metasys_extended_application_and_data_server	*	cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server::::::::
johnsoncontrols	metasys_open_application_server	*	cpe:2.3:a:johnsoncontrols:metasys_open_application_server::::::::