CVE-2024-32861 - Vulnerability Details - OpenCVE

Description

Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

Published: 2024-07-16

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Johnson Controls

Software House C•CURE 9000 Installer

affected

Version	Status	Constraints
`0`	affected	≤ 2.8

No data.

No data.

No data available yet.

Remediation

Vendor Solution

• Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path: o C:\CouchDB\bin

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30647	Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

Mon, 13 Jan 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description	Under certain circumstances the Software House C●CURE 9000 Site Server provides insufficient protection of directories containing executables.	Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions.

Subscriptions

Johnsoncontrols Software House C-cure 9000

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-07-16T14:36:51.171Z

Updated: 2025-07-21T15:57:46.437Z

Reserved: 2024-04-19T13:45:43.928Z

Link: CVE-2024-32861

Vulnrichment

Updated: 2024-08-02T02:20:35.618Z

NVD

Status : Deferred

Published: 2024-07-16T15:15:12.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-32861

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-276

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32861", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-19T13:45:43.928Z", "datePublished": "2024-07-16T14:36:51.171Z", "dateUpdated": "2025-07-21T15:57:46.437Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Software House C\u2022CURE 9000 Installer", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Reid Wightman of Dragos"}], "datePublic": "2024-07-16T14:32:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions."}], "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions."}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-07-21T15:57:46.437Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:<br>\u2003\u2003\u2003o C:\\CouchDB\\bin <br><br>"}], "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:\n\u2003\u2003\u2003o C:\\CouchDB\\bin"}], "source": {"discovery": "UNKNOWN"}, "title": "Software House C\u2022CURE - CouchDB executable protection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "software_house_c-cure_9000", "cpes": ["cpe:2.3:a:johnsoncontrols:software_house_c-cure_9000:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.00.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T14:55:26.330499Z", "id": "CVE-2024-32861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T14:57:10.115Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.618Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.618Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-16T14:55:26.330499Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:johnsoncontrols:software_house_c-cure_9000:*:*:*:*:*:*:*:*"], "vendor": "johnsoncontrols", "product": "software_house_c-cure_9000", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.00.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T14:57:06.964Z"}}], "cna": {"title": "Software House C\u2022CURE - CouchDB executable protection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Reid Wightman of Dragos"}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "Software House C\u2022CURE 9000 Installer", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:\n\u2003\u2003\u2003o C:\\CouchDB\\bin", "supportingMedia": [{"type": "text/html", "value": "\u2022 Remove Full control and Write permissions. For non-administrator accounts, limit permissions to Read & Execute on the following path:<br>\u2003\u2003\u2003o C:\\CouchDB\\bin <br><br>", "base64": false}]}], "datePublic": "2024-07-16T14:32:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/ICSA-24-191-05"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances the impacted Software House C\u2022CURE 9000 installer will utilize unnecessarily wide permissions.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-07-21T15:57:46.437Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32861", "state": "PUBLISHED", "dateUpdated": "2025-07-21T15:57:46.437Z", "dateReserved": "2024-04-19T13:45:43.928Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-07-16T14:36:51.171Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}