CVE-2023-4486

Summary

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to

versions 11.0.6 and 12.0.4

and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

Affected Software

VendorProductVersion RangeStatus
Johnson ControlsMetasys NAE55/SNE/SNC12.0 < 12.0.4affected
Johnson ControlsMetasys NAE55/SNE/SNC11.0 < 11.0.6affected
Johnson ControlsFacility Explorer F4-SNC12.0 < 12.0.4affected
Johnson ControlsFacility Explorer F4-SNC11.0 < 11.0.6affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References