CEVAS
CVE-2021-36206

10CRITICAL

Key Information:

Vendor: Johnson Controls
Status: Cevas
Vendor: CVE Published:; 28 October 2022

What is CVE-2021-36206?

All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.

Affected Version(s)

CEVAS all versions prior to 1.01.46 < 1.01.46

References

https://www.johnsoncontrols.com/cyber-solutions/security-...

https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-05

third-party-advisory

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 28, 2022
Vulnerability Reserved
Jul 6, 2021

Credit

Christian Vierschilling and Caroline Moesler reported this vulnerability to Johnson Controls, Inc.