PT-2021-17585 · Johnson Controls · Metasys
Jakub Palaczynski
·
Published
2021-06-04
·
Updated
2021-12-02
·
CVE-2021-27657
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Johnson Controls Metasys versions prior to 11.0
Description
The issue allows an authenticated Metasys user to gain unintended access to the server file system. This can be achieved by sending specifically crafted web messages to the Metasys system, potentially enabling the user to access or modify system files.
Recommendations
For Johnson Controls Metasys versions prior to 11.0, update to a version newer than 11.0 to resolve the issue.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metasys