CVE-2021-36204

Summary

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

Affected Software

VendorProductVersion RangeStatus
Johnson ControlsMetasys ADS/ADX/OASAll 10 versions < 10.1.6affected
Johnson ControlsMetasys ADS/ADX/OASAll 11 versions < 11.0.3affected

Weaknesses

  • CWE-522: CWE-522: Insufficiently Protected Credentials

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References