Description

Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.

Related CPE's

a

johnsoncontrols

metasys

Vulnerable

References

https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01

Third Party AdvisoryUS Government Resource

https://us-cert.gov/ics/advisories

Third Party AdvisoryUS Government Resource

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Vendor Advisory

Weaknesses

[email protected]

Primary
CWE-269

[email protected]

Secondary
CWE-269

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-06-04T15:15:07.517

4 years ago

Last modified

2021-12-02T13:55:35.607

3 years ago