CVE-2021-36205 Metasys session token

🗓️ 15 Apr 2022 16:24:48Reported by jciType

CVE-2021-36205 Metasys session token not cleared on logou

Reporter	Title	Published	Views	Family All 9
BDU FSTEC	The vulnerability of the Metasys Application and Data Server (ADS), Metasys Extended Application and Data Server (ADX), and Metasys Open Application Server (OAS) lies in the incomplete cleanup of session tokens, allowing attackers to obtain session tokens from authenticated users.	30 May 202200:00	–	bdu_fstec
Circl	CVE-2021-36205	15 Apr 202220:20	–	circl
CNNVD	Johnson Controls Metasys ADS/ADX/OAS Servers 安全漏洞	14 Apr 202200:00	–	cnnvd
CVE	CVE-2021-36205	15 Apr 202216:24	–	cve
EUVD	EUVD-2021-22826	7 Oct 202500:30	–	euvd
ICS	Johnson Controls Metasys	14 Apr 202200:00	–	ics
NVD	CVE-2021-36205	15 Apr 202217:15	–	nvd
OSV	CVE-2021-36205	15 Apr 202217:15	–	osv
Prion	Code injection	15 Apr 202217:15	–	prion

[
  {
    "product": "Metasys",
    "vendor": "Johnson Controls",
    "versions": [
      {
        "lessThan": "10.1.5",
        "status": "affected",
        "version": "All 10 versions",
        "versionType": "custom"
      },
      {
        "lessThan": "11.0.2",
        "status": "affected",
        "version": "All 11 versions",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
cisa	www.cisa.gov/uscert/ics/advisories/icsa-22-104-02
johnsoncontrols	www.johnsoncontrols.com/cyber-solutions/security-advisories

15 Apr 2022 16:24Current

9.7High risk

Vulners AI Score9.7

CVSS 3.18.1

EPSS0.00275

CWE-459