Microsoft IIS Logs Credential Details in C•CURE 9000 Web Server
CVE-2024-0912

4.2MEDIUM

Key Information:

Vendor: Johnson Controls
Status: Software House C•cure 9000
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-0912?

Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior versions

Affected Version(s)

Software House C•CURE 9000 0 <= 2.90

References

https://www.johnsoncontrols.com/-/media/jci/cyber-solutio...

https://www.cisa.gov/news-events/ics-advisories/icsa-24-1...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024

Johnson Controls

What is CVE-2024-0912?

Affected Version(s)

References

CVSS V3.1

Timeline