CVE-2024-0912
8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Summary
Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior versions
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Johnson Controls | Software House C•CURE 9000 | 0 <= 2.90 | affected |
Weaknesses
- CWE-532: CWE-532 Insertion of Sensitive Information into Log File
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-04.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-03
References
- https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-04.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-03
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.