CVE-2022-21934
06.05.2022, 16:15
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.Enginsight
| Vendor | Product | Version |
|---|---|---|
| johnsoncontrols | metasys_application_and_data_server | 10.0 ≤ 𝑥 < 10.1.5 |
| johnsoncontrols | metasys_application_and_data_server | 11.0 ≤ 𝑥 < 11.0.2 |
| johnsoncontrols | metasys_extended_application_and_data_server | 10.0 ≤ 𝑥 < 10.1.5 |
| johnsoncontrols | metasys_extended_application_and_data_server | 11.0 ≤ 𝑥 < 11.0.2 |
| johnsoncontrols | metasys_open_application_server | 10.0 ≤ 𝑥 < 10.1.5 |
| johnsoncontrols | metasys_open_application_server | 11.0 ≤ 𝑥 < 11.0.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-620 - Unverified Password ChangeWhen setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.