CVE-2020-9048 - OpenCVE

A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:N/C:N/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Tyco	C-cure Web Client
Johnsoncontrols	Victor Web Client

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:victor_web_client::::::::
	cpe:2.3:a:tyco:c-cure_web_client::::::::

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01	Mitigation Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jci

Published: 2020-10-08T00:00:00

Updated: 2021-01-07T17:35:01

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9048

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-08T18:15:12.540

Modified: 2022-10-29T02:40:13.940

Link: CVE-2020-9048

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "victor Web Client version 5.4.1 and prior", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "5.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "datePublic": "2020-10-08T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 : Improper Access Control (Authorization)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-07T17:35:01", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}], "solutions": [{"lang": "en", "value": "Upgrade all versions of victor Web Client to v5.6\n\nRegistered users can obtain the critical software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}, "title": "victor Web Client - Arbitrary File Deletion Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2020-10-08T13:00:00.000Z", "ID": "CVE-2020-9048", "STATE": "PUBLIC", "TITLE": "victor Web Client - Arbitrary File Deletion Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "victor Web Client version 5.4.1 and prior", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.4.1"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 : Improper Access Control (Authorization)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}]}, "solution": [{"lang": "en", "value": "Upgrade all versions of victor Web Client to v5.6\n\nRegistered users can obtain the critical software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2020-9048", "datePublished": "2020-10-08T00:00:00", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2021-01-07T17:35:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:victor_web_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "D996B29B-6022-4AC6-92C4-585914B508AB", "versionEndIncluding": "5.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tyco:c-cure_web_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CCBC1D6-7FFA-4E29-91F9-146E17F5AEBC", "versionEndIncluding": "2.80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}, {"lang": "es", "value": "Una vulnerabilidad en versiones espec\u00edficas de American Dynamics victor Web Client y Software House CCURE Web Client podr\u00eda permitir a un atacante remoto no autenticado en la red eliminar archivos arbitrarios en el sistema o inutilizar el sistema realizando un ataque de Denegaci\u00f3n de Servicio"}], "id": "CVE-2020-9048", "lastModified": "2022-10-29T02:40:13.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2020-10-08T18:15:12.540", "references": [{"source": "productsecurity@jci.com", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}, {"source": "productsecurity@jci.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}