CVE-2021-36201 - OpenCVE

Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Johnsoncontrols	C-cure 9000 C-cure 9000 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:johnsoncontrols:c-cure_9000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:johnsoncontrols:c-cure_9000:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jci

Published: 2022-10-11T00:00:00

Updated: 2022-10-14T00:00:00

Reserved: 2021-07-06T00:00:00

Link: CVE-2021-36201

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-10-11T21:15:12.467

Modified: 2022-12-09T18:07:39.220

Link: CVE-2021-36201

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:johnsoncontrols:c-cure_9000_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B04025F0-5B3B-41B0-A5E2-F1AE4CDD3E6C", "versionEndIncluding": "2.90", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:johnsoncontrols:c-cure_9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "4291DD2F-EB08-4F19-98FB-C5CC8B4F3B7C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions."}, {"lang": "es", "value": "Bajo ciertas circunstancias, un usuario de CCURE Portal podr\u00eda enumerar cuentas de usuario en CCURE 9000 versi\u00f3n 2.90 y versiones anteriores"}], "id": "CVE-2021-36201", "lastModified": "2022-12-09T18:07:39.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2022-10-11T21:15:12.467", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-204"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}