Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for System Configuration Tool (SCT) by Johnson Controls

    CVE-2022-21940 (GCVE-0-2022-21940)

    Vulnerability from nvd – Published: 2023-02-09 20:54 – Updated: 2025-03-24 18:12
    VLAI
    Title
    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT)
    Summary
    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls System Configuration Tool (SCT) Affected: 14 , < 14.2.3 (custom)
    Affected: 15 , < 15.0.3 (custom)
    Create a notification for this product.
    Date Public
    2023-02-09 18:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:00:53.815Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:12:06.969930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:12:16.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "System Configuration Tool (SCT)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "14.2.3",
                  "status": "affected",
                  "version": "14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.0.3",
                  "status": "affected",
                  "version": "15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-02-09T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
                }
              ],
              "value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-614",
                  "description": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:54:02.226Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 14 with patch 14.2.3"
                }
              ],
              "value": "Update SCT version 14 with patch 14.2.3"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 15 with patch 15.0.3\u003cbr\u003e"
                }
              ],
              "value": "Update SCT version 15 with patch 15.0.3\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
                }
              ],
              "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in System Configuration Tool (SCT)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2022-21940",
        "datePublished": "2023-02-09T20:54:02.226Z",
        "dateReserved": "2021-12-15T20:21:18.771Z",
        "dateUpdated": "2025-03-24T18:12:16.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-21939 (GCVE-0-2022-21939)

    Vulnerability from nvd – Published: 2023-02-09 20:49 – Updated: 2025-03-24 18:19
    VLAI
    Title
    Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)
    Summary
    Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls System Configuration Tool (SCT) Affected: 14 , < 14.2.3 (custom)
    Affected: 15 , < 15.0.3 (custom)
    Create a notification for this product.
    Date Public
    2023-02-09 18:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:00:54.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:19:02.093528Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:19:12.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "System Configuration Tool (SCT)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "14.2.3",
                  "status": "affected",
                  "version": "14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.0.3",
                  "status": "affected",
                  "version": "15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-02-09T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
                }
              ],
              "value": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1004",
                  "description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:49:17.442Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 14 with patch 14.2.3"
                }
              ],
              "value": "Update SCT version 14 with patch 14.2.3"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 15 with patch 15.0.3\u003cbr\u003e"
                }
              ],
              "value": "Update SCT version 15 with patch 15.0.3\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
                }
              ],
              "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive cookie without \u0027HttpOnly\u0027 flag in System Configuration Tool (SCT)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2022-21939",
        "datePublished": "2023-02-09T20:49:17.442Z",
        "dateReserved": "2021-12-15T20:21:18.770Z",
        "dateUpdated": "2025-03-24T18:19:12.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-21940 (GCVE-0-2022-21940)

    Vulnerability from cvelistv5 – Published: 2023-02-09 20:54 – Updated: 2025-03-24 18:12
    VLAI
    Title
    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT)
    Summary
    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls System Configuration Tool (SCT) Affected: 14 , < 14.2.3 (custom)
    Affected: 15 , < 15.0.3 (custom)
    Create a notification for this product.
    Date Public
    2023-02-09 18:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:00:53.815Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:12:06.969930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:12:16.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "System Configuration Tool (SCT)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "14.2.3",
                  "status": "affected",
                  "version": "14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.0.3",
                  "status": "affected",
                  "version": "15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-02-09T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
                }
              ],
              "value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-614",
                  "description": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:54:02.226Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 14 with patch 14.2.3"
                }
              ],
              "value": "Update SCT version 14 with patch 14.2.3"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 15 with patch 15.0.3\u003cbr\u003e"
                }
              ],
              "value": "Update SCT version 15 with patch 15.0.3\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
                }
              ],
              "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in System Configuration Tool (SCT)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2022-21940",
        "datePublished": "2023-02-09T20:54:02.226Z",
        "dateReserved": "2021-12-15T20:21:18.771Z",
        "dateUpdated": "2025-03-24T18:12:16.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-21939 (GCVE-0-2022-21939)

    Vulnerability from cvelistv5 – Published: 2023-02-09 20:49 – Updated: 2025-03-24 18:19
    VLAI
    Title
    Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)
    Summary
    Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls System Configuration Tool (SCT) Affected: 14 , < 14.2.3 (custom)
    Affected: 15 , < 15.0.3 (custom)
    Create a notification for this product.
    Date Public
    2023-02-09 18:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:00:54.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-24T18:19:02.093528Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-24T18:19:12.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "System Configuration Tool (SCT)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "14.2.3",
                  "status": "affected",
                  "version": "14",
                  "versionType": "custom"
                },
                {
                  "lessThan": "15.0.3",
                  "status": "affected",
                  "version": "15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-02-09T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
                }
              ],
              "value": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1004",
                  "description": "CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:49:17.442Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 14 with patch 14.2.3"
                }
              ],
              "value": "Update SCT version 14 with patch 14.2.3"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update SCT version 15 with patch 15.0.3\u003cbr\u003e"
                }
              ],
              "value": "Update SCT version 15 with patch 15.0.3\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
                }
              ],
              "value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive cookie without \u0027HttpOnly\u0027 flag in System Configuration Tool (SCT)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2022-21939",
        "datePublished": "2023-02-09T20:49:17.442Z",
        "dateReserved": "2021-12-15T20:21:18.770Z",
        "dateUpdated": "2025-03-24T18:19:12.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }