CVE-2020-9049

A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
jciCNA
7.1 HIGH
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
johnsoncontrolsc-cure_web
𝑥
≤ 2.90
johnsoncontrolsvictor_web
𝑥
≤ 5.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories