CVE-2023-4486
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to
versions 11.0.6 and 12.0.4
and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Johnson Controls | Metasys NAE55/SNE/SNC | 12.0 < 12.0.4 | affected |
| Johnson Controls | Metasys NAE55/SNE/SNC | 11.0 < 11.0.6 | affected |
| Johnson Controls | Facility Explorer F4-SNC | 12.0 < 12.0.4 | affected |
| Johnson Controls | Facility Explorer F4-SNC | 11.0 < 11.0.6 | affected |
Weaknesses
- CWE-400: CWE-400 Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.