Lucene search

JciCVELIST:CVE-2021-36201

HistoryOct 11, 2022 - 8:17 p.m.

CVE-2021-36201 CCURE Observable Response Discrepancy

2022-10-1120:17:42

CWE-204

jci

www.cve.org

ccure

portal user enumeration

vulnerability

ccure 9000 v2.90

CVSS3

4.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

32.2%

JSON

Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.

CNA Affected

[
  {
    "vendor": "Johnson Controls",
    "product": "C•CURE 9000",
    "versions": [
      {
        "version": "2.90 and ealier",
        "status": "affected",
        "lessThanOrEqual": "2.90",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-22-284-03

www.johnsoncontrols.com/cyber-solutions/security-advisories

CVSS3

4.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

32.2%

JSON

Related for CVELIST:CVE-2021-36201