CVE-2022-21936 - OpenCVE

On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Johnsoncontrols	Metasys For Validated Environments Metasys Extended Application And Data Server

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:12.0:::::::*
	cpe:2.3:a:johnsoncontrols:metasys_for_validated_environments:-:::::::*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-01	Third Party Advisory US Government Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jci

Published: 2022-10-04T00:00:00

Updated: 2022-10-07T00:00:00

Reserved: 2021-12-15T00:00:00

Link: CVE-2022-21936

JSON object: View

NVD Information

Status : Modified

Published: 2022-10-07T18:15:14.867

Modified: 2023-11-07T03:43:45.770

Link: CVE-2022-21936

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "50731125-779A-446A-945D-946F44AA3555", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_for_validated_environments:-:*:*:*:*:*:*:*", "matchCriteriaId": "C5A8E3EE-0E54-493C-9D4F-7B9BEB8E096A", "vulnerable": false}], "negate": false, "operator": "AND"}]}], "descriptions": [{"lang": "en", "value": "On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI."}, {"lang": "es", "value": "En Metasys ADX Server versi\u00f3n 12.0 ejecutando MVE, un usuario de Active Directory pod\u00eda ejecutar acciones validadas sin proporcionar una contrase\u00f1a v\u00e1lida cuando usaba MVE SMP UI"}], "id": "CVE-2022-21936", "lastModified": "2023-11-07T03:43:45.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2022-10-07T18:15:14.867", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-01"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}