Search criteria
6 vulnerabilities found for c-cure_9000_firmware by johnsoncontrols
CVE-2021-36201 (GCVE-0-2021-36201)
Vulnerability from nvd – Published: 2022-10-11 20:17 – Updated: 2025-05-15 18:42
VLAI?
Title
CCURE Observable Response Discrepancy
Summary
Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.
Severity ?
4.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | C•CURE 9000 |
Affected:
2.90 and ealier , ≤ 2.90
(custom)
|
Credits
Kim Syversen and Mathias Kjølleberg Førland reported this vulnerability to Johnson Controls
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T18:42:38.695115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T18:42:45.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "C\u2022CURE 9000",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "2.90",
"status": "affected",
"version": "2.90 and ealier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kim Syversen and Mathias Kj\u00f8lleberg F\u00f8rland reported this vulnerability to Johnson Controls"
}
],
"datePublic": "2022-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"
}
],
"solutions": [
{
"lang": "en",
"value": "Update C\u2022CURE 9000 2.90 with patch 2.90 SP5 or upgrade C\u2022CURE 9000 to version 3.0. The software can be downloaded here: https://www.swhouse.com/Support/SoftwareDownloads.aspx"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CCURE Observable Response Discrepancy",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-36201",
"datePublished": "2022-10-11T20:17:42.951Z",
"dateReserved": "2021-07-06T00:00:00.000Z",
"dateUpdated": "2025-05-15T18:42:45.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27660 (GCVE-0-2021-27660)
Vulnerability from nvd – Published: 2021-07-01 13:36 – Updated: 2024-09-16 19:24
VLAI?
Title
C-CURE 9000
Summary
An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs.
Severity ?
8.8 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | C-CURE 9000 |
Affected:
All versions of C-CURE 9000 prior to 2.80 , < 2.80
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "C-CURE 9000",
"vendor": "Johnson Controls",
"versions": [
{
"lessThan": "2.80",
"status": "affected",
"version": "All versions of C-CURE 9000 prior to 2.80",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T10:12:24",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to C-CURE 9000 version 2.80 or above. If this is not possible then follow published instructions for disabling the auto update feature located here https://support.swhouse.com/ and search for the document SWH-TAB-nID-000006545."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "C-CURE 9000",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2021-07-01T06:01:00.000Z",
"ID": "CVE-2021-27660",
"STATE": "PUBLIC",
"TITLE": "C-CURE 9000"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "C-CURE 9000",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All versions of C-CURE 9000 prior to 2.80",
"version_value": "2.80"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to C-CURE 9000 version 2.80 or above. If this is not possible then follow published instructions for disabling the auto update feature located here https://support.swhouse.com/ and search for the document SWH-TAB-nID-000006545."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-27660",
"datePublished": "2021-07-01T13:36:44.607216Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-16T19:24:41.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9045 (GCVE-0-2020-9045)
Vulnerability from nvd – Published: 2020-05-21 14:45 – Updated: 2024-08-04 10:19
VLAI?
Title
C•CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.
Summary
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.
Severity ?
9.9 (Critical)
CWE
- CWE-312 - - Cleartext Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | Software House C•CURE 9000 v2.70 |
Affected:
2.70
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Software House C\u2022CURE 9000 v2.70",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "2.70"
}
]
},
{
"product": "American Dynamics victor Video Management System v5.2",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 - Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T14:45:44",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"solutions": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account. "
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"ID": "CVE-2020-9045",
"STATE": "PUBLIC",
"TITLE": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Software House C\u2022CURE 9000 v2.70",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.70"
}
]
}
},
{
"product_name": "American Dynamics victor Video Management System v5.2",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312 - Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account. "
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2020-9045",
"datePublished": "2020-05-21T14:45:44",
"dateReserved": "2020-02-18T00:00:00",
"dateUpdated": "2024-08-04T10:19:19.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36201 (GCVE-0-2021-36201)
Vulnerability from cvelistv5 – Published: 2022-10-11 20:17 – Updated: 2025-05-15 18:42
VLAI?
Title
CCURE Observable Response Discrepancy
Summary
Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions.
Severity ?
4.3 (Medium)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | C•CURE 9000 |
Affected:
2.90 and ealier , ≤ 2.90
(custom)
|
Credits
Kim Syversen and Mathias Kjølleberg Førland reported this vulnerability to Johnson Controls
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T18:42:38.695115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T18:42:45.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "C\u2022CURE 9000",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "2.90",
"status": "affected",
"version": "2.90 and ealier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kim Syversen and Mathias Kj\u00f8lleberg F\u00f8rland reported this vulnerability to Johnson Controls"
}
],
"datePublic": "2022-10-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03"
}
],
"solutions": [
{
"lang": "en",
"value": "Update C\u2022CURE 9000 2.90 with patch 2.90 SP5 or upgrade C\u2022CURE 9000 to version 3.0. The software can be downloaded here: https://www.swhouse.com/Support/SoftwareDownloads.aspx"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CCURE Observable Response Discrepancy",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-36201",
"datePublished": "2022-10-11T20:17:42.951Z",
"dateReserved": "2021-07-06T00:00:00.000Z",
"dateUpdated": "2025-05-15T18:42:45.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27660 (GCVE-0-2021-27660)
Vulnerability from cvelistv5 – Published: 2021-07-01 13:36 – Updated: 2024-09-16 19:24
VLAI?
Title
C-CURE 9000
Summary
An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs.
Severity ?
8.8 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | C-CURE 9000 |
Affected:
All versions of C-CURE 9000 prior to 2.80 , < 2.80
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "C-CURE 9000",
"vendor": "Johnson Controls",
"versions": [
{
"lessThan": "2.80",
"status": "affected",
"version": "All versions of C-CURE 9000 prior to 2.80",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-02T10:12:24",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to C-CURE 9000 version 2.80 or above. If this is not possible then follow published instructions for disabling the auto update feature located here https://support.swhouse.com/ and search for the document SWH-TAB-nID-000006545."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "C-CURE 9000",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2021-07-01T06:01:00.000Z",
"ID": "CVE-2021-27660",
"STATE": "PUBLIC",
"TITLE": "C-CURE 9000"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "C-CURE 9000",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All versions of C-CURE 9000 prior to 2.80",
"version_value": "2.80"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to C-CURE 9000 version 2.80 or above. If this is not possible then follow published instructions for disabling the auto update feature located here https://support.swhouse.com/ and search for the document SWH-TAB-nID-000006545."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-27660",
"datePublished": "2021-07-01T13:36:44.607216Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-16T19:24:41.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9045 (GCVE-0-2020-9045)
Vulnerability from cvelistv5 – Published: 2020-05-21 14:45 – Updated: 2024-08-04 10:19
VLAI?
Title
C•CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.
Summary
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.
Severity ?
9.9 (Critical)
CWE
- CWE-312 - - Cleartext Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | Software House C•CURE 9000 v2.70 |
Affected:
2.70
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Software House C\u2022CURE 9000 v2.70",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "2.70"
}
]
},
{
"product": "American Dynamics victor Video Management System v5.2",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 - Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T14:45:44",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"solutions": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account. "
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"ID": "CVE-2020-9045",
"STATE": "PUBLIC",
"TITLE": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Software House C\u2022CURE 9000 v2.70",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.70"
}
]
}
},
{
"product_name": "American Dynamics victor Video Management System v5.2",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312 - Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account. "
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2020-9045",
"datePublished": "2020-05-21T14:45:44",
"dateReserved": "2020-02-18T00:00:00",
"dateUpdated": "2024-08-04T10:19:19.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}