Insufficiently Protected Credentials in Metasys
CVE-2021-36204

7.8HIGH

Key Information:

Vendor: Johnson Controls
Status: Metasys Ads/adx/oas
Vendor: CVE Published:; 13 January 2023

What is CVE-2021-36204?

A vulnerability in Johnson Controls' Metasys ADS/ADX/OAS allows API calls to expose sensitive credentials in plain text under certain conditions. Versions 10 prior to 10.1.6 and 11 prior to 11.0.3 are affected, posing significant security risks to users by potentially allowing unauthorized access to critical system data. Users are advised to upgrade to the latest versions to mitigate exposure.

Affected Version(s)

Metasys ADS/ADX/OAS All 10 versions < 10.1.6

Metasys ADS/ADX/OAS All 11 versions < 11.0.3

References

https://www.johnsoncontrols.com/cyber-solutions/security-...

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06

third-party-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 13, 2023
Vulnerability Reserved
Jul 6, 2021