1. EXECUTIVE SUMMARY
- CVSS v3 5.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls, Inc.
- Equipment: Web Service
- Vulnerability: Use of GET Request Method With Sensitive Query Strings
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Johnson Controls exacqVision Web Service are affected:
- exacqVision Web Service: Versions 24.03 and prior
3.2 Vulnerability Overview
3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598
Under certain circumstances exacqVision Web Service versions 24.03 and prior can expose authentication token details within communications.
CVE-2024-32931 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER
Diego Zaffaroni from Nozomi Networks reported this vulnerability to Johnson Controls, Inc.
4. MITIGATIONS
Johnson Controls recommends users update exacqVision Web Service to version 24.06
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory […]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: