CVE-2024-32931 - Vulnerability Details - OpenCVE

Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00388.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Johnsoncontrols	Exacqvision Web Service

Configuration 1 [-]

cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30701	Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.

Fixes

Solution

Update exacqVision Web Service to version 24.06

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

Fri, 09 Aug 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Johnsoncontrols Johnsoncontrols exacqvision Web Service
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:johnsoncontrols:exacqvision_web_service::::::::
Vendors & Products		Johnsoncontrols Johnsoncontrols exacqvision Web Service

Tue, 06 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-08-01T21:18:07.426Z

Updated: 2024-08-06T20:35:43.344Z

Reserved: 2024-04-19T17:27:45.230Z

Link: CVE-2024-32931

Vulnrichment

Updated: 2024-08-06T20:35:37.242Z

NVD

Status : Analyzed

Published: 2024-08-01T22:15:25.190

Modified: 2024-08-09T18:54:11.303

Link: CVE-2024-32931

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32931", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-19T17:27:45.230Z", "datePublished": "2024-08-01T21:18:07.426Z", "dateUpdated": "2024-08-06T20:35:43.344Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "exacqVision", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "24.03", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Diego Zaffaroni from Nozomi Networks"}], "datePublic": "2024-08-01T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.</span>\n\n </span>"}], "value": "Under certain circumstances the exacqVision Web Service can expose authentication token details within communications."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593: Session Hijacking"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-598", "description": "CWE-598 - Use of GET Request Method With Sensitive Query Strings", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-08-01T21:18:07.426Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.06);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Update exacqVision Web Service to version 24.06</span>\n\n</span>\n\n</span>\n\n<br>"}], "value": "Update exacqVision Web Service to version 24.06"}], "source": {"discovery": "UNKNOWN"}, "title": "exacqVison - Token Disclosed in URL", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T20:35:29.938795Z", "id": "CVE-2024-32931", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:35:43.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32931", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-06T20:35:29.938795Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T20:35:37.242Z"}}], "cna": {"title": "exacqVison - Token Disclosed in URL", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Diego Zaffaroni from Nozomi Networks"}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593: Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "exacqVision", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "24.03"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update exacqVision Web Service to version 24.06", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.06);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Update exacqVision Web Service to version 24.06</span>\n\n</span>\n\n</span>\n\n<br>", "base64": false}]}], "datePublic": "2024-08-01T16:00:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.</span>\n\n </span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-598", "description": "CWE-598 - Use of GET Request Method With Sensitive Query Strings"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-08-01T21:18:07.426Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32931", "state": "PUBLISHED", "dateUpdated": "2024-08-06T20:35:43.344Z", "dateReserved": "2024-04-19T17:27:45.230Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-08-01T21:18:07.426Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EAD8287-8213-4984-A79C-CB1F79CC0C15", "versionEndIncluding": "24.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances the exacqVision Web Service can expose authentication token details within communications."}, {"lang": "es", "value": " En determinadas circunstancias, el servicio web exacqVision puede exponer detalles del token de autenticaci\u00f3n dentro de las comunicaciones."}], "id": "CVE-2024-32931", "lastModified": "2024-08-09T18:54:11.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2024-08-01T22:15:25.190", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-06"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-598"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}