CVE-2024-32757 - Vulnerability Details - OpenCVE

Description

Under certain circumstances unnecessary user details are provided within system logs

Published: 2024-07-02

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Johnson Controls

American Dynamics Illustra Essentials Gen 4

unaffected

Version	Status	Constraints
`0`	unaffected	≤ Illustra.Ess4.01.02.10.5982

No data.

No data.

No data available yet.

Remediation

Vendor Solution

Update firmware to Illustra.Ess4.01.02.13.6953

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30544	Under certain circumstances unnecessary user details are provided within system logs

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00115.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-07-02T14:02:15.247Z

Updated: 2024-08-02T02:20:35.566Z

Reserved: 2024-04-17T17:26:35.181Z

Link: CVE-2024-32757

Vulnrichment

Updated: 2024-08-02T02:20:35.566Z

NVD

Status : Deferred

Published: 2024-07-02T14:15:12.783

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-32757

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-532

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32757", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-17T17:26:35.181Z", "datePublished": "2024-07-02T14:02:15.247Z", "dateUpdated": "2024-08-02T02:20:35.566Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "American Dynamics Illustra Essentials Gen 4", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "Illustra.Ess4.01.02.10.5982", "status": "unaffected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sam Hanson of Dragos"}], "datePublic": "2024-06-27T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Under certain circumstances unnecessary user details are provided within system logs</span>"}], "value": "Under certain circumstances unnecessary user details are provided within system logs"}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-07-12T11:52:43.770Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Update firmware to Illustra.Ess4.01.02.13.6953 </span><br>"}], "value": "Update firmware to Illustra.Ess4.01.02.13.6953"}], "source": {"discovery": "UNKNOWN"}, "title": "American Dynamics Illustra Essentials Gen 4 - Linux Credential Leak", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "illustra_essential_gen_4_firmware", "cpes": ["cpe:2.3:o:johnsoncontrols:illustra_essential_gen_4_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "Illustra.Ess4.01.02.13.6953", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T13:52:39.937857Z", "id": "CVE-2024-32757", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:52:43.347Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.566Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.566Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T13:52:39.937857Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:johnsoncontrols:illustra_essential_gen_4_firmware:*:*:*:*:*:*:*:*"], "vendor": "johnsoncontrols", "product": "illustra_essential_gen_4_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "Illustra.Ess4.01.02.13.6953", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T13:51:58.150Z"}}], "cna": {"title": "American Dynamics Illustra Essentials Gen 4 - Linux Credential Leak", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sam Hanson of Dragos"}], "impacts": [{"capecId": "CAPEC-653", "descriptions": [{"lang": "en", "value": "CAPEC-653: Use of Known Operating System Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "American Dynamics Illustra Essentials Gen 4", "versions": [{"status": "unaffected", "version": "0", "versionType": "custom", "lessThanOrEqual": "Illustra.Ess4.01.02.10.5982"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update firmware to Illustra.Ess4.01.02.13.6953", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.06);\">Update firmware to Illustra.Ess4.01.02.13.6953 </span><br>", "base64": false}]}], "datePublic": "2024-06-27T16:00:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances unnecessary user details are provided within system logs", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Under certain circumstances unnecessary user details are provided within system logs</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-07-12T11:52:43.770Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32757", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:20:35.566Z", "dateReserved": "2024-04-17T17:26:35.181Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-07-02T14:02:15.247Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}