CVE-2024-32862 - Vulnerability Details - OpenCVE

Description

Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.

Published: 2024-08-01

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Johnson Controls

exacqVision

affected

Version	Status	Constraints
`0`	affected	≤ 24.03

Configuration 1 [-]

cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update exacqVision Web Service to version 24.06

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-30648	Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00268.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

History

Fri, 09 Aug 2024 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-697

Subscriptions

Johnsoncontrols Exacqvision Web Service

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2024-08-01T21:57:13.093Z

Updated: 2024-08-02T14:58:44.835Z

Reserved: 2024-04-19T13:45:43.929Z

Link: CVE-2024-32862

Vulnrichment

Updated: 2024-08-02T14:58:38.360Z

NVD

Status : Analyzed

Published: 2024-08-01T22:15:24.783

Modified: 2024-08-09T18:55:44.473

Link: CVE-2024-32862

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32862", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2024-04-19T13:45:43.929Z", "datePublished": "2024-08-01T21:57:13.093Z", "dateUpdated": "2024-08-02T14:58:44.835Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "exacqVision", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "24.03", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Diego Zaffaroni from Nozomi Networks"}], "datePublic": "2024-08-01T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">\n\n<p>\n\n<span style=\"background-color: rgba(9, 30, 66, 0.055);\">Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. </span>\n\n</p>\n\n</span>\n\n </span>"}], "value": "Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-08-01T21:57:13.093Z"}, "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">Update exacqVision Web Service to version 24.06</span>\n\n<br>"}], "value": "Update exacqVision Web Service to version 24.06"}], "source": {"discovery": "UNKNOWN"}, "title": "exacqVision CORS", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "johnsoncontrols", "product": "exacqvision_web_service", "cpes": ["cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*"], "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "24.03", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T14:54:54.809433Z", "id": "CVE-2024-32862", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T14:58:44.835Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-02T14:54:54.809433Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*"], "vendor": "johnsoncontrols", "product": "exacqvision_web_service", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "24.03"}], "defaultStatus": "affected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T14:58:38.360Z"}}], "cna": {"title": "exacqVision CORS", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Diego Zaffaroni from Nozomi Networks"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Johnson Controls", "product": "exacqVision", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "24.03"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update exacqVision Web Service to version 24.06", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">Update exacqVision Web Service to version 24.06</span>\n\n<br>", "base64": false}]}], "datePublic": "2024-08-01T16:00:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(9, 30, 66, 0.024);\">\n\n<span style=\"background-color: rgba(9, 30, 66, 0.06);\">\n\n<p>\n\n<span style=\"background-color: rgba(9, 30, 66, 0.055);\">Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. </span>\n\n</p>\n\n</span>\n\n </span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2024-08-01T21:57:13.093Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32862", "state": "PUBLISHED", "dateUpdated": "2024-08-02T14:58:44.835Z", "dateReserved": "2024-04-19T13:45:43.929Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2024-08-01T21:57:13.093Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:exacqvision_web_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EAD8287-8213-4984-A79C-CB1F79CC0C15", "versionEndIncluding": "24.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains."}, {"lang": "es", "value": " En determinadas circunstancias, los servicios web de ExacqVision no proporcionan suficiente protecci\u00f3n contra dominios que no son de confianza."}], "id": "CVE-2024-32862", "lastModified": "2024-08-09T18:55:44.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2024-08-01T22:15:24.783", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-02"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-942"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}