CVE-2024-32755 - Vulnerability Details - OpenCVE

Description

Under certain circumstances the web interface will accept characters unrelated to the expected input.

Published: 2024-07-02

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Johnson Controls

American Dynamics Illustra Essentials Gen 4

unaffected

Version	Status	Constraints
`0`	affected	≤ Illustra.Ess4.01.02.10.5982

No data.

No data.

No data available yet.

Remediation

Vendor Solution

Update firmware to Illustra.Ess4.01.02.13.6953

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30542	Under certain circumstances the web interface will accept characters unrelated to the expected input.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00512.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-07-02T13:38:41.336Z

Updated: 2024-08-02T02:20:35.243Z

Reserved: 2024-04-17T17:26:35.180Z

Link: CVE-2024-32755

Vulnrichment

Updated: 2024-08-02T02:20:35.243Z

NVD

Status : Deferred

Published: 2024-07-02T14:15:12.333

Modified: 2026-06-17T07:30:22.350

Link: CVE-2024-32755

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-20
Improper Input Validation

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32755", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-17T17:26:35.180Z", "datePublished": "2024-07-02T13:38:41.336Z", "dateUpdated": "2024-08-02T02:20:35.243Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "American Dynamics Illustra Essentials Gen 4", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "Illustra.Ess4.01.02.10.5982", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sam Hanson of Dragos"}], "datePublic": "2024-06-27T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Under certain circumstances the web interface will accept characters unrelated to the expected input.</span>"}], "value": "Under certain circumstances the web interface will accept characters unrelated to the expected input."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-07-12T11:48:50.087Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update firmware to Illustra.Ess4.01.02.13.6953</span>"}], "value": "Update firmware to Illustra.Ess4.01.02.13.6953"}], "source": {"discovery": "UNKNOWN"}, "title": "American Dynamics Illustra Essentials Gen 4 - Log Filter Input Validation", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "illustra_essential_gen_4_firmware", "cpes": ["cpe:2.3:o:johnsoncontrols:illustra_essential_gen_4_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "Illustra.Ess4.01.02.13.6953", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T19:35:11.858001Z", "id": "CVE-2024-32755", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:52:56.301Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.243Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.243Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32755", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-02T19:35:11.858001Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:johnsoncontrols:illustra_essential_gen_4_firmware:*:*:*:*:*:*:*:*"], "vendor": "johnsoncontrols", "product": "illustra_essential_gen_4_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "Illustra.Ess4.01.02.13.6953", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:52:04.416Z"}}], "cna": {"title": "American Dynamics Illustra Essentials Gen 4 - Log Filter Input Validation", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sam Hanson of Dragos"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "American Dynamics Illustra Essentials Gen 4", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "Illustra.Ess4.01.02.10.5982"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update firmware to Illustra.Ess4.01.02.13.6953", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Update firmware to Illustra.Ess4.01.02.13.6953</span>", "base64": false}]}], "datePublic": "2024-06-27T16:00:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances the web interface will accept characters unrelated to the expected input.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Under certain circumstances the web interface will accept characters unrelated to the expected input.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-07-12T11:48:50.087Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32755", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:20:35.243Z", "dateReserved": "2024-04-17T17:26:35.180Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-07-02T13:38:41.336Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "American Dynamics Illustra Essentials Gen 4", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "Illustra.Ess4.01.02.10.5982", "status": "affected", "version": "0", "versionType": "custom"}]}], "source": "productsecurity@jci.com"}, {"affectedData": [{"cpes": ["cpe:2.3:o:johnsoncontrols:illustra_essential_gen_4_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "illustra_essential_gen_4_firmware", "vendor": "johnsoncontrols", "versions": [{"lessThan": "Illustra.Ess4.01.02.13.6953", "status": "affected", "version": "0", "versionType": "custom"}]}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances the web interface will accept characters unrelated to the expected input."}, {"lang": "es", "value": "En determinadas circunstancias, la interfaz web aceptar\u00e1 caracteres no relacionados con la entrada esperada."}], "id": "CVE-2024-32755", "lastModified": "2026-06-17T07:30:22.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "productsecurity@jci.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-32755", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "role": "CISA Coordinator", "timestamp": "2024-07-02T19:35:11.858001Z", "version": "2.0.3"}}]}, "published": "2024-07-02T14:15:12.333", "references": [{"source": "productsecurity@jci.com", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04"}, {"source": "productsecurity@jci.com", "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}