Action not permitted
Modal body text goes here.
Modal Title
Modal Body
ghsa-gfgf-64cp-gxh7
Vulnerability from github
Published
2022-05-24 17:10
Modified
2022-05-24 17:10
VLAI Severity ?
Details
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
{
"affected": [],
"aliases": [
"CVE-2020-9044"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls\u0027 Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.",
"id": "GHSA-gfgf-64cp-gxh7",
"modified": "2022-05-24T17:10:44Z",
"published": "2022-05-24T17:10:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9044"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
CVE-2020-9044 (GCVE-0-2020-9044)
Vulnerability from cvelistv5
Published
2020-03-10 19:28
Modified
2024-08-04 10:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - - Information Leak Through XML External Entity File Disclosure
Summary
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Metasys Application and Data Server (ADS, ADS-Lite)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 10.1 and prior"
}
]
},
{
"product": "Metasys Extended Application and Data Server (ADX)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 10.1 and prior"
}
]
},
{
"product": "Metasys Open Data Server (ODS)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 10.1 and prior"
}
]
},
{
"product": "Metasys Open Application Server (OAS)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "version 10.1"
}
]
},
{
"product": "Metasys Network Automation Engine (NAE55 only)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 9.0.1"
},
{
"status": "affected",
"version": "9.0.2"
},
{
"status": "affected",
"version": "9.0.3"
},
{
"status": "affected",
"version": "9.0.5"
},
{
"status": "affected",
"version": "9.0.6"
}
]
},
{
"product": "Metasys Network Integration Engine (NIE55/NIE59)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 9.0.1"
},
{
"status": "affected",
"version": "9.0.2"
},
{
"status": "affected",
"version": "9.0.3"
},
{
"status": "affected",
"version": "9.0.5"
},
{
"status": "affected",
"version": "9.0.6"
}
]
},
{
"product": "Metasys NAE85 and NIE85",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 10.1 and prior"
}
]
},
{
"product": "Metasys LonWorks Control Server (LCS)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 10.1 and prior"
}
]
},
{
"product": "Metasys System Configuration Tool (SCT)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "versions 13.2 and prior"
}
]
},
{
"product": "Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "version 8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lukasz Rupala"
}
],
"descriptions": [
{
"lang": "en",
"value": "XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls\u0027 Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 - Information Leak Through XML External Entity File Disclosure ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-10T19:28:30",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
}
],
"solutions": [
{
"lang": "en",
"value": "Johnson Controls has developed a patch to address this issue. Customers should contact their local branch office for remediation. "
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Metasys Improper Restriction of XML External Entity Reference",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"ID": "CVE-2020-9044",
"STATE": "PUBLIC",
"TITLE": "Metasys Improper Restriction of XML External Entity Reference"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Metasys Application and Data Server (ADS, ADS-Lite)",
"version": {
"version_data": [
{
"version_value": "versions 10.1 and prior"
}
]
}
},
{
"product_name": "Metasys Extended Application and Data Server (ADX)",
"version": {
"version_data": [
{
"version_value": "versions 10.1 and prior"
}
]
}
},
{
"product_name": "Metasys Open Data Server (ODS)",
"version": {
"version_data": [
{
"version_value": "versions 10.1 and prior"
}
]
}
},
{
"product_name": "Metasys Open Application Server (OAS)",
"version": {
"version_data": [
{
"version_value": "version 10.1"
}
]
}
},
{
"product_name": "Metasys Network Automation Engine (NAE55 only)",
"version": {
"version_data": [
{
"version_value": "versions 9.0.1"
},
{
"version_value": "9.0.2"
},
{
"version_value": "9.0.3"
},
{
"version_value": "9.0.5"
},
{
"version_value": "9.0.6"
}
]
}
},
{
"product_name": "Metasys Network Integration Engine (NIE55/NIE59)",
"version": {
"version_data": [
{
"version_value": "versions 9.0.1"
},
{
"version_value": "9.0.2"
},
{
"version_value": "9.0.3"
},
{
"version_value": "9.0.5"
},
{
"version_value": "9.0.6"
}
]
}
},
{
"product_name": "Metasys NAE85 and NIE85",
"version": {
"version_data": [
{
"version_value": "versions 10.1 and prior"
}
]
}
},
{
"product_name": "Metasys LonWorks Control Server (LCS)",
"version": {
"version_data": [
{
"version_value": "versions 10.1 and prior"
}
]
}
},
{
"product_name": "Metasys System Configuration Tool (SCT)",
"version": {
"version_data": [
{
"version_value": "versions 13.2 and prior"
}
]
}
},
{
"product_name": "Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)",
"version": {
"version_data": [
{
"version_value": "version 8.1"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lukasz Rupala"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls\u0027 Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 - Information Leak Through XML External Entity File Disclosure "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-05"
}
]
},
"solution": [
{
"lang": "en",
"value": "Johnson Controls has developed a patch to address this issue. Customers should contact their local branch office for remediation. "
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2020-9044",
"datePublished": "2020-03-10T19:28:30",
"dateReserved": "2020-02-18T00:00:00",
"dateUpdated": "2024-08-04T10:19:19.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…