Vulnerability Details : CVE-2022-21939
Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
Products affected by CVE-2022-21939
- Johnsoncontrols » Metasys System Configuration ToolVersions from including (>=) 15.0 and before (<) 15.0.3cpe:2.3:a:johnsoncontrols:metasys_system_configuration_tool:*:*:*:*:*:*:*:*
- Johnsoncontrols » Metasys System Configuration ToolVersions from including (>=) 14.0 and before (<) 14.2.3cpe:2.3:a:johnsoncontrols:metasys_system_configuration_tool:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21939
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21939
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
Johnson Controls |
CWE ids for CVE-2022-21939
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
-
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.Assigned by: productsecurity@jci.com (Secondary)
References for CVE-2022-21939
-
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03
Johnson Controls System Configuration Tool (SCT) | CISAThird Party Advisory;US Government Resource;VDB Entry
-
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Product Security AdvisoriesVendor Advisory
Jump to