QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2020-9044

Back to search

CVE-2020-9044

Published: Mar 10, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

VendorProductVersions

Johnson Controls

Metasys Application and Data Server (ADS, ADS-Lite)

affected
versions 10.1 and prior

Johnson Controls

Metasys Extended Application and Data Server (ADX)

affected
versions 10.1 and prior

Johnson Controls

Metasys Open Data Server (ODS)

affected
versions 10.1 and prior

Johnson Controls

Metasys Open Application Server (OAS)

affected
version 10.1

Johnson Controls

Metasys Network Automation Engine (NAE55 only)

affected
versions 9.0.1
affected
9.0.2
affected
9.0.3
affected
9.0.5
affected
9.0.6

Johnson Controls

Metasys Network Integration Engine (NIE55/NIE59)

affected
versions 9.0.1
affected
9.0.2
affected
9.0.3
affected
9.0.5
affected
9.0.6

Johnson Controls

Metasys NAE85 and NIE85

affected
versions 10.1 and prior

Johnson Controls

Metasys LonWorks Control Server (LCS)

affected
versions 10.1 and prior

Johnson Controls

Metasys System Configuration Tool (SCT)

affected
versions 13.2 and prior

Johnson Controls

Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)

affected
version 8.1

Weaknesses (CWE)

CWE-611

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

ICS-CERT Advisory
third-party-advisory
x_refsource_CERT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now