CVE-2020-9048 - OpenCVE

A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:N/C:N/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Johnsoncontrols	Victor Web Client
Tyco	C-cure Web Client

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:victor_web_client::::::::
	cpe:2.3:a:tyco:c-cure_web_client::::::::

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2020-10-08T17:29:08.524001Z

Updated: 2024-09-16T18:39:08.774Z

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9048

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-08T18:15:12.540

Modified: 2022-10-29T02:40:13.940

Link: CVE-2020-9048

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "victor Web Client version 5.4.1 and prior", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "5.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "datePublic": "2020-10-08T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 : Improper Access Control (Authorization)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-07T17:35:01", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}], "solutions": [{"lang": "en", "value": "Upgrade all versions of victor Web Client to v5.6\n\nRegistered users can obtain the critical software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}, "title": "victor Web Client - Arbitrary File Deletion Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2020-10-08T13:00:00.000Z", "ID": "CVE-2020-9048", "STATE": "PUBLIC", "TITLE": "victor Web Client - Arbitrary File Deletion Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "victor Web Client version 5.4.1 and prior", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.4.1"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 : Improper Access Control (Authorization)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}]}, "solution": [{"lang": "en", "value": "Upgrade all versions of victor Web Client to v5.6\n\nRegistered users can obtain the critical software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.570Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}]}]}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2020-9048", "datePublished": "2020-10-08T17:29:08.524001Z", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2024-09-16T18:39:08.774Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:victor_web_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "D996B29B-6022-4AC6-92C4-585914B508AB", "versionEndIncluding": "5.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tyco:c-cure_web_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CCBC1D6-7FFA-4E29-91F9-146E17F5AEBC", "versionEndIncluding": "2.80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack."}, {"lang": "es", "value": "Una vulnerabilidad en versiones espec\u00edficas de American Dynamics victor Web Client y Software House CCURE Web Client podr\u00eda permitir a un atacante remoto no autenticado en la red eliminar archivos arbitrarios en el sistema o inutilizar el sistema realizando un ataque de Denegaci\u00f3n de Servicio"}], "id": "CVE-2020-9048", "lastModified": "2022-10-29T02:40:13.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2020-10-08T18:15:12.540", "references": [{"source": "productsecurity@jci.com", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01"}, {"source": "productsecurity@jci.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}