CVE-2022-21934 : Under certain circumstances an authenticated user could lock other users out of

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

Published 2022-05-06 16:15:15

Updated 2022-05-16 19:40:43

Source Johnson Controls

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-21934

Johnsoncontrols » Metasys Application And Data Server
Versions from including (>=) 10.0 and before (<) 10.1.5
cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*
Matching versions
Johnsoncontrols » Metasys Application And Data Server
Versions from including (>=) 11.0 and before (<) 11.0.2
cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*
Matching versions
Johnsoncontrols » Metasys Extended Application And Data Server
Versions from including (>=) 10.0 and before (<) 10.1.5
cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*
Matching versions
Johnsoncontrols » Metasys Extended Application And Data Server
Versions from including (>=) 11.0 and before (<) 11.0.2
cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*
Matching versions
Johnsoncontrols » Metasys Open Application Server
Versions from including (>=) 11.0 and before (<) 11.0.2
cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*
Matching versions
Johnsoncontrols » Metasys Open Application Server
Versions from including (>=) 10.0 and before (<) 10.1.5
cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-21934

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-21934

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.0	HIGH	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.1	5.9	Johnson Controls
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-21934

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)
CWE-620 Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Assigned by: productsecurity@jci.com (Secondary)

References for CVE-2022-21934

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Product Security Advisories
Vendor Advisory

CVEs referencing this url
https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01

Johnson Controls Metasys | CISA
Mitigation;Third Party Advisory;US Government Resource

Jump to

Vulnerability Details : CVE-2022-21934

Products affected by CVE-2022-21934

Exploit prediction scoring system (EPSS) score for CVE-2022-21934

CVSS scores for CVE-2022-21934

CWE ids for CVE-2022-21934

References for CVE-2022-21934