CVE-2020-9049 - OpenCVE

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:A/AC:M/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Johnsoncontrols	C-cure Web Victor Web

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:c-cure_web::::::::
	cpe:2.3:a:johnsoncontrols:victor_web::::::::

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2020-11-19T15:27:09.782887Z

Updated: 2024-09-17T02:57:34.537Z

Reserved: 2020-02-18T00:00:00

Link: CVE-2020-9049

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-19T16:15:11.173

Modified: 2020-12-04T15:18:38.803

Link: CVE-2020-9049

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "victor Web Client version 5.6 and prior", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "5.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "C\u2022CURE Web Client version 2.90 and prior (Note - This does not affect the new web-based C\u2022CURE 9000 client that was introduced in C\u2022CURE 9000 v2.90)", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "2.90", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "datePublic": "2020-11-19T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 : Improper Access Control (Authorization)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-19T15:27:09", "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}], "solutions": [{"lang": "en", "value": "victor Web Client\n\n\u2022\tvictor Web Client v5.6 and earlier \u2013 upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1)\n\nRegistered users can obtain the software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx.\n\nC\u2022CURE Web Client\n\nC\u2022CURE Web v2.60 and earlier - upgrade to a minimum of v2.70 and install the relevant update below.\n\n\u2022\tC\u2022CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02\n\u2022\tC\u2022CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04\n\u2022\tC\u2022CURE Web v2.90 - install the update CCureWeb_2.90_Update01 \n\nRegistered users can obtain the software update by downloading the update found here: https://swhouse.com/Support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}, "title": "victor Web Client and C\u2022CURE Web Client JSON Web Token (JWT) Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "productsecurity@jci.com", "DATE_PUBLIC": "2020-11-19T14:00:00.000Z", "ID": "CVE-2020-9049", "STATE": "PUBLIC", "TITLE": "victor Web Client and C\u2022CURE Web Client JSON Web Token (JWT) Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "victor Web Client version 5.6 and prior", "version": {"version_data": [{"version_affected": "<=", "version_value": "5.6"}]}}, {"product_name": "C\u2022CURE Web Client version 2.90 and prior (Note - This does not affect the new web-based C\u2022CURE 9000 client that was introduced in C\u2022CURE 9000 v2.90)", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.90"}]}}]}, "vendor_name": "Johnson Controls"}]}}, "credit": [{"lang": "eng", "value": "Joachim Kerschbaumer reported this vulnerability to Johnson Controls, Inc."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 : Improper Access Control (Authorization)"}]}]}, "references": {"reference_data": [{"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "refsource": "CONFIRM", "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "refsource": "CERT", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}]}, "solution": [{"lang": "en", "value": "victor Web Client\n\n\u2022\tvictor Web Client v5.6 and earlier \u2013 upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1)\n\nRegistered users can obtain the software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx.\n\nC\u2022CURE Web Client\n\nC\u2022CURE Web v2.60 and earlier - upgrade to a minimum of v2.70 and install the relevant update below.\n\n\u2022\tC\u2022CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02\n\u2022\tC\u2022CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04\n\u2022\tC\u2022CURE Web v2.90 - install the update CCureWeb_2.90_Update01 \n\nRegistered users can obtain the software update by downloading the update found here: https://swhouse.com/Support/SoftwareDownloads.aspx."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.448Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}]}]}, "cveMetadata": {"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "cveId": "CVE-2020-9049", "datePublished": "2020-11-19T15:27:09.782887Z", "dateReserved": "2020-02-18T00:00:00", "dateUpdated": "2024-09-17T02:57:34.537Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:c-cure_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C1E9FAF-B52D-4ABE-8457-7CA79C0C5DBC", "versionEndIncluding": "2.90", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:victor_web:*:*:*:*:*:*:*:*", "matchCriteriaId": "E225100B-FAF2-403E-8443-D055A1BFBD23", "versionEndIncluding": "5.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in specified versions of American Dynamics victor Web Client and Software House C\u2022CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack."}, {"lang": "es", "value": "Una vulnerabilidad en versiones espec\u00edficas de American Dynamics victor Web Client y Software House C\u2022CURE Web Client, podr\u00eda permitir a un atacante no autenticado en la red crear y firmar su propio JSON Web Token y usarlo para ejecutar un HTTP API Method sin la necesidad de una autorizaci\u00f3n de autenticaci\u00f3n. En determinadas circunstancias, un atacante podr\u00eda usar esto para afectar la disponibilidad del sistema al conducir un ataque de Denegaci\u00f3n de Servicio"}], "id": "CVE-2020-9049", "lastModified": "2020-12-04T15:18:38.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 5.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:A/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2020-11-19T16:15:11.173", "references": [{"source": "productsecurity@jci.com", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}