Search criteria
8 vulnerabilities found for exacqvision_server by johnsoncontrols
CVE-2024-32865 (GCVE-0-2024-32865)
Vulnerability from nvd – Published: 2024-08-01 21:13 – Updated: 2024-08-02 14:36
VLAI?
Title
exacqVison - TLS certificate validation
Summary
Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.
Severity ?
6.4 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision |
Affected:
0 , ≤ 24.03
(custom)
|
Credits
Diego Zaffaroni from Nozomi Networks
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_server:*:*:*:*:*:*:x86:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_server",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "24.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:13:28.853898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:36:24.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "exacqVision",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "24.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diego Zaffaroni from Nozomi Networks"
}
],
"datePublic": "2024-08-01T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.024);\"\u003eUnder certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. \u003c/span\u003e"
}
],
"value": "Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94: Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:13:24.868Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate exacqVision Server and exacqVision Client to version 24.06\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Update exacqVision Server and exacqVision Client to version 24.06"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "exacqVison - TLS certificate validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2024-32865",
"datePublished": "2024-08-01T21:13:24.868Z",
"dateReserved": "2024-04-19T13:45:43.929Z",
"dateUpdated": "2024-08-02T14:36:24.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32758 (GCVE-0-2024-32758)
Vulnerability from nvd – Published: 2024-08-01 21:50 – Updated: 2024-08-06 20:35
VLAI?
Title
exacqVision - Key exchanges
Summary
Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
Severity ?
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision |
Affected:
0
(custom)
|
Credits
Reid Wightman of Dragos
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_server",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_client",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T20:29:29.999907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:07.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "exacqVision",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reid Wightman of Dragos"
}
],
"datePublic": "2024-08-01T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.024);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cp\u003eUnder certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange\u003c/p\u003e\n\n\u003c/span\u003e\n\n \u003c/span\u003e"
}
],
"value": "Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange"
}
],
"impacts": [
{
"capecId": "CAPEC-277",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-277: Data Interchange Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:50:16.134Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003eFollow the guidance provided on the exacqVision Hardening Guide under the Password Strengthening section at \u003c/span\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.johnsoncontrols.com/trust-center/cybersecurity/resources.\"\u003ehttps://www.johnsoncontrols.com/trust-center/cybersecurity/resources.\u003c/a\u003e \n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Follow the guidance provided on the exacqVision Hardening Guide under the Password Strengthening section at \n https://www.johnsoncontrols.com/trust-center/cybersecurity/resources."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "exacqVision - Key exchanges",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2024-32758",
"datePublished": "2024-08-01T21:50:16.134Z",
"dateReserved": "2024-04-17T17:26:35.181Z",
"dateUpdated": "2024-08-06T20:35:07.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27665 (GCVE-0-2021-27665)
Vulnerability from nvd – Published: 2021-10-11 15:26 – Updated: 2024-09-17 02:53
VLAI?
Title
exacqVision Server 32-bit
Summary
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.
Severity ?
7.5 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision Web Service |
Affected:
21.06.11.0 , ≤ 21.06.11.0
(custom)
|
Credits
Tenable Research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "exacqVision Web Service",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "21.06.11.0",
"status": "affected",
"version": "21.06.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tenable Research"
}
],
"datePublic": "2021-10-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-11T15:26:09",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade exacqVision Server 32-bit to version 21.09 or upgrade to exacqVision Server 64-bit\n\nCurrent users can obtain the critical software update from the Software Download location at: https://www.exacq.com/support/downloads.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "exacqVision Server 32-bit",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2021-10-07T18:16:00.000Z",
"ID": "CVE-2021-27665",
"STATE": "PUBLIC",
"TITLE": "exacqVision Server 32-bit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "exacqVision Web Service",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "21.06.11.0",
"version_value": "21.06.11.0"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tenable Research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-190: Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade exacqVision Server 32-bit to version 21.09 or upgrade to exacqVision Server 64-bit\n\nCurrent users can obtain the critical software update from the Software Download location at: https://www.exacq.com/support/downloads.php"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-27665",
"datePublished": "2021-10-11T15:26:09.316481Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-17T02:53:35.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7590 (GCVE-0-2019-7590)
Vulnerability from nvd – Published: 2019-07-19 20:56 – Updated: 2024-09-17 01:40
VLAI?
Title
exacqVision Server Unquoted Service Path
Summary
ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Severity ?
6.7 (Medium)
CWE
- CWE-428 - Unquoted Search Path or Element
- The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Exacq Technologies, Inc. | exacqVision Server |
Unknown:
unspecified , < 8.4
(custom)
Unaffected: unspecified , ≤ 9.4 (custom) Affected: 9.6 Affected: 9.8 Unaffected: next of 19.03 , < unspecified (custom) |
Credits
Gjoko 'LiquidWorm' Krstic
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:54:28.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/109307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "exacqVision Server",
"vendor": "Exacq Technologies, Inc.",
"versions": [
{
"lessThan": "8.4",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "9.6"
},
{
"status": "affected",
"version": "9.8"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of 19.03",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Windows operating system with exacqVision Server version 9.6 or 9.8 installed."
}
],
"credits": [
{
"lang": "en",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic"
}
],
"datePublic": "2019-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ExacqVision Server\u2019s services \u0027exacqVisionServer\u0027, \u0027dvrdhcpserver\u0027 and \u0027mdnsresponder\u0027 have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4."
}
],
"exploits": [
{
"lang": "en",
"value": "N/A"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-22T07:06:02",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/109307"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to exacqVision Server 19.03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "exacqVision Server Unquoted Service Path",
"workarounds": [
{
"lang": "en",
"value": "Run Registry Editor and navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\exacqVisionServer. Modify the ImagePath for to include quotations around the entire file path. Repeat this process for HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dvrdhcpserver and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mdnsresponder"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2019-07-18T17:01:00.000Z",
"ID": "CVE-2019-7590",
"STATE": "PUBLIC",
"TITLE": "exacqVision Server Unquoted Service Path"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "exacqVision Server",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "8.4"
},
{
"version_affected": "!\u003c=",
"version_value": "9.4"
},
{
"version_affected": "=",
"version_value": "9.6"
},
{
"version_affected": "=",
"version_value": "9.8"
},
{
"version_affected": "!\u003e",
"version_value": "19.03"
}
]
}
}
]
},
"vendor_name": "Exacq Technologies, Inc."
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "Windows operating system with exacqVision Server version 9.6 or 9.8 installed."
}
],
"credit": [
{
"lang": "eng",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ExacqVision Server\u2019s services \u0027exacqVisionServer\u0027, \u0027dvrdhcpserver\u0027 and \u0027mdnsresponder\u0027 have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4."
}
]
},
"exploit": [
{
"lang": "en",
"value": "N/A"
}
],
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-428 Unquoted Search Path or Element"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"name": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341",
"refsource": "MISC",
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/109307"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to exacqVision Server 19.03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Run Registry Editor and navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\exacqVisionServer. Modify the ImagePath for to include quotations around the entire file path. Repeat this process for HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dvrdhcpserver and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mdnsresponder"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2019-7590",
"datePublished": "2019-07-19T20:56:07.852988Z",
"dateReserved": "2019-02-07T00:00:00",
"dateUpdated": "2024-09-17T01:40:35.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32758 (GCVE-0-2024-32758)
Vulnerability from cvelistv5 – Published: 2024-08-01 21:50 – Updated: 2024-08-06 20:35
VLAI?
Title
exacqVision - Key exchanges
Summary
Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
Severity ?
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision |
Affected:
0
(custom)
|
Credits
Reid Wightman of Dragos
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_server",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_client:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_client",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T20:29:29.999907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:07.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "exacqVision",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reid Wightman of Dragos"
}
],
"datePublic": "2024-08-01T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.024);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cp\u003eUnder certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange\u003c/p\u003e\n\n\u003c/span\u003e\n\n \u003c/span\u003e"
}
],
"value": "Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange"
}
],
"impacts": [
{
"capecId": "CAPEC-277",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-277: Data Interchange Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:50:16.134Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003eFollow the guidance provided on the exacqVision Hardening Guide under the Password Strengthening section at \u003c/span\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.johnsoncontrols.com/trust-center/cybersecurity/resources.\"\u003ehttps://www.johnsoncontrols.com/trust-center/cybersecurity/resources.\u003c/a\u003e \n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Follow the guidance provided on the exacqVision Hardening Guide under the Password Strengthening section at \n https://www.johnsoncontrols.com/trust-center/cybersecurity/resources."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "exacqVision - Key exchanges",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2024-32758",
"datePublished": "2024-08-01T21:50:16.134Z",
"dateReserved": "2024-04-17T17:26:35.181Z",
"dateUpdated": "2024-08-06T20:35:07.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32865 (GCVE-0-2024-32865)
Vulnerability from cvelistv5 – Published: 2024-08-01 21:13 – Updated: 2024-08-02 14:36
VLAI?
Title
exacqVison - TLS certificate validation
Summary
Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.
Severity ?
6.4 (Medium)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision |
Affected:
0 , ≤ 24.03
(custom)
|
Credits
Diego Zaffaroni from Nozomi Networks
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:johnsoncontrols:exacqvision_server:*:*:*:*:*:*:x86:*"
],
"defaultStatus": "unknown",
"product": "exacqvision_server",
"vendor": "johnsoncontrols",
"versions": [
{
"lessThanOrEqual": "24.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T14:13:28.853898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:36:24.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "exacqVision",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "24.03",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Diego Zaffaroni from Nozomi Networks"
}
],
"datePublic": "2024-08-01T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.024);\"\u003eUnder certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. \u003c/span\u003e"
}
],
"value": "Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94: Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T21:13:24.868Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-05"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(9, 30, 66, 0.06);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate exacqVision Server and exacqVision Client to version 24.06\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Update exacqVision Server and exacqVision Client to version 24.06"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "exacqVison - TLS certificate validation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2024-32865",
"datePublished": "2024-08-01T21:13:24.868Z",
"dateReserved": "2024-04-19T13:45:43.929Z",
"dateUpdated": "2024-08-02T14:36:24.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27665 (GCVE-0-2021-27665)
Vulnerability from cvelistv5 – Published: 2021-10-11 15:26 – Updated: 2024-09-17 02:53
VLAI?
Title
exacqVision Server 32-bit
Summary
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.
Severity ?
7.5 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Johnson Controls | exacqVision Web Service |
Affected:
21.06.11.0 , ≤ 21.06.11.0
(custom)
|
Credits
Tenable Research
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "exacqVision Web Service",
"vendor": "Johnson Controls",
"versions": [
{
"lessThanOrEqual": "21.06.11.0",
"status": "affected",
"version": "21.06.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tenable Research"
}
],
"datePublic": "2021-10-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-11T15:26:09",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade exacqVision Server 32-bit to version 21.09 or upgrade to exacqVision Server 64-bit\n\nCurrent users can obtain the critical software update from the Software Download location at: https://www.exacq.com/support/downloads.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "exacqVision Server 32-bit",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2021-10-07T18:16:00.000Z",
"ID": "CVE-2021-27665",
"STATE": "PUBLIC",
"TITLE": "exacqVision Server 32-bit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "exacqVision Web Service",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "21.06.11.0",
"version_value": "21.06.11.0"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tenable Research"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-190: Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://us-cert.gov/ics/advisories/icsa-21-280-03"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade exacqVision Server 32-bit to version 21.09 or upgrade to exacqVision Server 64-bit\n\nCurrent users can obtain the critical software update from the Software Download location at: https://www.exacq.com/support/downloads.php"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2021-27665",
"datePublished": "2021-10-11T15:26:09.316481Z",
"dateReserved": "2021-02-24T00:00:00",
"dateUpdated": "2024-09-17T02:53:35.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7590 (GCVE-0-2019-7590)
Vulnerability from cvelistv5 – Published: 2019-07-19 20:56 – Updated: 2024-09-17 01:40
VLAI?
Title
exacqVision Server Unquoted Service Path
Summary
ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Severity ?
6.7 (Medium)
CWE
- CWE-428 - Unquoted Search Path or Element
- The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Exacq Technologies, Inc. | exacqVision Server |
Unknown:
unspecified , < 8.4
(custom)
Unaffected: unspecified , ≤ 9.4 (custom) Affected: 9.6 Affected: 9.8 Unaffected: next of 19.03 , < unspecified (custom) |
Credits
Gjoko 'LiquidWorm' Krstic
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:54:28.462Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/109307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "exacqVision Server",
"vendor": "Exacq Technologies, Inc.",
"versions": [
{
"lessThan": "8.4",
"status": "unknown",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "9.6"
},
{
"status": "affected",
"version": "9.8"
},
{
"lessThan": "unspecified",
"status": "unaffected",
"version": "next of 19.03",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Windows operating system with exacqVision Server version 9.6 or 9.8 installed."
}
],
"credits": [
{
"lang": "en",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic"
}
],
"datePublic": "2019-07-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ExacqVision Server\u2019s services \u0027exacqVisionServer\u0027, \u0027dvrdhcpserver\u0027 and \u0027mdnsresponder\u0027 have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4."
}
],
"exploits": [
{
"lang": "en",
"value": "N/A"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-22T07:06:02",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/109307"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to exacqVision Server 19.03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "exacqVision Server Unquoted Service Path",
"workarounds": [
{
"lang": "en",
"value": "Run Registry Editor and navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\exacqVisionServer. Modify the ImagePath for to include quotations around the entire file path. Repeat this process for HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dvrdhcpserver and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mdnsresponder"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"DATE_PUBLIC": "2019-07-18T17:01:00.000Z",
"ID": "CVE-2019-7590",
"STATE": "PUBLIC",
"TITLE": "exacqVision Server Unquoted Service Path"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "exacqVision Server",
"version": {
"version_data": [
{
"version_affected": "?\u003c",
"version_value": "8.4"
},
{
"version_affected": "!\u003c=",
"version_value": "9.4"
},
{
"version_affected": "=",
"version_value": "9.6"
},
{
"version_affected": "=",
"version_value": "9.8"
},
{
"version_affected": "!\u003e",
"version_value": "19.03"
}
]
}
}
]
},
"vendor_name": "Exacq Technologies, Inc."
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "Windows operating system with exacqVision Server version 9.6 or 9.8 installed."
}
],
"credit": [
{
"lang": "eng",
"value": "Gjoko \u0027LiquidWorm\u0027 Krstic"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ExacqVision Server\u2019s services \u0027exacqVisionServer\u0027, \u0027dvrdhcpserver\u0027 and \u0027mdnsresponder\u0027 have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4."
}
]
},
"exploit": [
{
"lang": "en",
"value": "N/A"
}
],
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-428 Unquoted Search Path or Element"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "The exacqVision Server unquoted service path privilege escalation vulnerability is possible in the Windows operating system."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/152128/exacqVision-9.8-Unquoted-Service-Path-Privilege-Escalation.html"
},
{
"name": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php",
"refsource": "MISC",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5515.php"
},
{
"name": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341",
"refsource": "MISC",
"url": "https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341"
},
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-199-01"
},
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "109307",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/109307"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to exacqVision Server 19.03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Run Registry Editor and navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\exacqVisionServer. Modify the ImagePath for to include quotations around the entire file path. Repeat this process for HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dvrdhcpserver and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\mdnsresponder"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2019-7590",
"datePublished": "2019-07-19T20:56:07.852988Z",
"dateReserved": "2019-02-07T00:00:00",
"dateUpdated": "2024-09-17T01:40:35.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}