CVE-2021-36204

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
jciCNA
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
johnsoncontrolsmetasys_application_and_data_server
10.0 ≤
𝑥
< 10.1.6
johnsoncontrolsmetasys_application_and_data_server
11.0 ≤
𝑥
< 11.0.3
johnsoncontrolsmetasys_extended_application_and_data_server
10.0 ≤
𝑥
< 10.1.6
johnsoncontrolsmetasys_extended_application_and_data_server
11.0 ≤
𝑥
< 11.0.3
johnsoncontrolsmetasys_open_application_server
10.0 ≤
𝑥
< 10.1.6
johnsoncontrolsmetasys_open_application_server
11.0 ≤
𝑥
< 11.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06
https://www.johnsoncontrols.com/cyber-solutions/security-advisories