Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for f4-snc_firmware by johnsoncontrols

    CVE-2023-4486 (GCVE-0-2023-4486)

    Vulnerability from nvd – Published: 2023-12-07 19:55 – Updated: 2025-05-28 13:52
    VLAI
    Title
    Uncontrolled Resource Consumption in Metasys and Facility Explorer
    Summary
    Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls Metasys NAE55/SNE/SNC Affected: 12.0 , < 12.0.4 (custom)
    Affected: 11.0 , < 11.0.6 (custom)
    Create a notification for this product.
    Johnson Controls Facility Explorer F4-SNC Affected: 12.0 , < 12.0.4 (custom)
    Affected: 11.0 , < 11.0.6 (custom)
    Create a notification for this product.
    Date Public
    2023-12-07 19:24
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.240Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4486",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-23T05:01:05.723101Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T13:52:00.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Metasys NAE55/SNE/SNC",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "12.0.4",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.6",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Facility Explorer F4-SNC",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "12.0.4",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.6",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-07T19:24:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to \n\nversions 11.0.6 and 12.0.4\n\n and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to \n\nversions 11.0.6 and 12.0.4\n\n and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-19T16:57:41.349Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.\u003cbr\u003e"
                }
              ],
              "value": "Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Metasys NAE55, SNE, and SNC engines to version 11.0.6.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update Metasys NAE55, SNE, and SNC engines to version 11.0.6.\n\n\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Facility Explorer F4-SNC engine to version 12.0.4.\u003cbr\u003e"
                }
              ],
              "value": "Update Facility Explorer F4-SNC engine to version 12.0.4.\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate Facility Explorer F4-SNC engine to version 11.0.6. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "\n\n\nUpdate Facility Explorer F4-SNC engine to version 11.0.6. \u00a0\n\n\n\n\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nFor more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).\n\n\u003cbr\u003e"
                }
              ],
              "value": "\nFor more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).\n\n\n"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Uncontrolled Resource Consumption in Metasys and Facility Explorer",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2023-4486",
        "datePublished": "2023-12-07T19:55:39.265Z",
        "dateReserved": "2023-08-22T19:40:01.192Z",
        "dateUpdated": "2025-05-28T13:52:00.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27661 (GCVE-0-2021-27661)

    Vulnerability from nvd – Published: 2021-07-01 13:41 – Updated: 2024-09-16 22:14
    VLAI
    Title
    Facility Explorer
    Summary
    Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    jci
    References
    Impacted products
    Vendor Product Version
    Johnson Controls Facility Explorer SNC Series Supervisory Controllers (F4-SNC) Affected: Facility Explorer SNC Series Supervisory Controllers version 11 11
    Create a notification for this product.
    Date Public
    2021-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "name": "ICS-CERT Advisory",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Facility Explorer SNC Series Supervisory Controllers (F4-SNC)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "status": "affected",
                  "version": "Facility Explorer SNC Series Supervisory Controllers version 11 11"
                }
              ]
            }
          ],
          "datePublic": "2021-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller\u2019s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-02T10:15:59.000Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "name": "ICS-CERT Advisory",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Apply a patch to the Facility Explorer SNC Series Supervisory Controllers (F4-SNC)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Facility Explorer",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "productsecurity@jci.com",
              "DATE_PUBLIC": "2021-07-01T06:01:00.000Z",
              "ID": "CVE-2021-27661",
              "STATE": "PUBLIC",
              "TITLE": "Facility Explorer"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Facility Explorer SNC Series Supervisory Controllers (F4-SNC)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Facility Explorer SNC Series Supervisory Controllers version 11",
                                "version_value": "11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Johnson Controls"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller\u2019s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269 Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
                  "refsource": "CONFIRM",
                  "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
                },
                {
                  "name": "ICS-CERT Advisory",
                  "refsource": "CERT",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Apply a patch to the Facility Explorer SNC Series Supervisory Controllers (F4-SNC)."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2021-27661",
        "datePublished": "2021-07-01T13:41:58.835Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:14:19.833Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4486 (GCVE-0-2023-4486)

    Vulnerability from cvelistv5 – Published: 2023-12-07 19:55 – Updated: 2025-05-28 13:52
    VLAI
    Title
    Uncontrolled Resource Consumption in Metasys and Facility Explorer
    Summary
    Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    jci
    Impacted products
    Vendor Product Version
    Johnson Controls Metasys NAE55/SNE/SNC Affected: 12.0 , < 12.0.4 (custom)
    Affected: 11.0 , < 11.0.6 (custom)
    Create a notification for this product.
    Johnson Controls Facility Explorer F4-SNC Affected: 12.0 , < 12.0.4 (custom)
    Affected: 11.0 , < 11.0.6 (custom)
    Create a notification for this product.
    Date Public
    2023-12-07 19:24
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.240Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4486",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2023-12-23T05:01:05.723101Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T13:52:00.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Metasys NAE55/SNE/SNC",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "12.0.4",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.6",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Facility Explorer F4-SNC",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "lessThan": "12.0.4",
                  "status": "affected",
                  "version": "12.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.6",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-07T19:24:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to \n\nversions 11.0.6 and 12.0.4\n\n and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to \n\nversions 11.0.6 and 12.0.4\n\n and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-19T16:57:41.349Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.\u003cbr\u003e"
                }
              ],
              "value": "Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Metasys NAE55, SNE, and SNC engines to version 11.0.6.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update Metasys NAE55, SNE, and SNC engines to version 11.0.6.\n\n\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update Facility Explorer F4-SNC engine to version 12.0.4.\u003cbr\u003e"
                }
              ],
              "value": "Update Facility Explorer F4-SNC engine to version 12.0.4.\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate Facility Explorer F4-SNC engine to version 11.0.6. \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\n\n\u003cbr\u003e"
                }
              ],
              "value": "\n\n\nUpdate Facility Explorer F4-SNC engine to version 11.0.6. \u00a0\n\n\n\n\n"
            },
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nFor more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).\n\n\u003cbr\u003e"
                }
              ],
              "value": "\nFor more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).\n\n\n"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Uncontrolled Resource Consumption in Metasys and Facility Explorer",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2023-4486",
        "datePublished": "2023-12-07T19:55:39.265Z",
        "dateReserved": "2023-08-22T19:40:01.192Z",
        "dateUpdated": "2025-05-28T13:52:00.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-27661 (GCVE-0-2021-27661)

    Vulnerability from cvelistv5 – Published: 2021-07-01 13:41 – Updated: 2024-09-16 22:14
    VLAI
    Title
    Facility Explorer
    Summary
    Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    jci
    References
    Impacted products
    Vendor Product Version
    Johnson Controls Facility Explorer SNC Series Supervisory Controllers (F4-SNC) Affected: Facility Explorer SNC Series Supervisory Controllers version 11 11
    Create a notification for this product.
    Date Public
    2021-07-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T21:26:10.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
              },
              {
                "name": "ICS-CERT Advisory",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT",
                  "x_transferred"
                ],
                "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Facility Explorer SNC Series Supervisory Controllers (F4-SNC)",
              "vendor": "Johnson Controls",
              "versions": [
                {
                  "status": "affected",
                  "version": "Facility Explorer SNC Series Supervisory Controllers version 11 11"
                }
              ]
            }
          ],
          "datePublic": "2021-07-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller\u2019s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-02T10:15:59.000Z",
            "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
            "shortName": "jci"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "name": "ICS-CERT Advisory",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT"
              ],
              "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Apply a patch to the Facility Explorer SNC Series Supervisory Controllers (F4-SNC)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Facility Explorer",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "productsecurity@jci.com",
              "DATE_PUBLIC": "2021-07-01T06:01:00.000Z",
              "ID": "CVE-2021-27661",
              "STATE": "PUBLIC",
              "TITLE": "Facility Explorer"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Facility Explorer SNC Series Supervisory Controllers (F4-SNC)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "Facility Explorer SNC Series Supervisory Controllers version 11",
                                "version_value": "11"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Johnson Controls"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller\u2019s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269 Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
                  "refsource": "CONFIRM",
                  "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
                },
                {
                  "name": "ICS-CERT Advisory",
                  "refsource": "CERT",
                  "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Apply a patch to the Facility Explorer SNC Series Supervisory Controllers (F4-SNC)."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "assignerShortName": "jci",
        "cveId": "CVE-2021-27661",
        "datePublished": "2021-07-01T13:41:58.835Z",
        "dateReserved": "2021-02-24T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:14:19.833Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }