CVE-2021-36204 - Vulnerability Details - OpenCVE

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Johnsoncontrols	Metasys Application And Data Server Metasys Extended Application And Data Server Metasys Open Application Server

Configuration 1 [-]

OR	cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server::::::::
	cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server::::::::
	cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server::::::::
	cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server::::::::
	cpe:2.3:a:johnsoncontrols:metasys_open_application_server::::::::
	cpe:2.3:a:johnsoncontrols:metasys_open_application_server::::::::

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

History

Mon, 07 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2023-01-13T00:00:00.000Z

Updated: 2025-04-07T19:45:35.972Z

Reserved: 2021-07-06T00:00:00.000Z

Link: CVE-2021-36204

Vulnrichment

Updated: 2024-08-04T00:54:51.234Z

NVD

Status : Modified

Published: 2023-01-13T21:15:15.360

Modified: 2024-11-21T06:13:18.790

Link: CVE-2021-36204

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-36204", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "assignerShortName": "jci", "dateUpdated": "2025-04-07T19:45:35.972Z", "dateReserved": "2021-07-06T00:00:00.000Z", "datePublished": "2023-01-13T00:00:00.000Z"}, "containers": {"cna": {"title": "Insufficiently Protected Credentials in Metasys ", "datePublic": "2023-01-13T00:00:00.000Z", "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2023-01-13T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text."}], "affected": [{"vendor": "Johnson Controls", "product": "Metasys ADS/ADX/OAS", "versions": [{"version": "All 10 versions", "status": "affected", "lessThan": "10.1.6", "versionType": "custom"}, {"version": "All 11 versions", "status": "affected", "lessThan": "11.0.3", "versionType": "custom"}]}], "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "cweId": "CWE-522"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "INTERNAL"}, "solutions": [{"lang": "en", "value": "Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.6."}, {"lang": "en", "value": "Update all Metasys ADS/ADX/OAS 11 versions with patch 11.0.3."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:54:51.234Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T19:45:28.404334Z", "id": "CVE-2021-36204", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:45:35.972Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06", "name": "ICS-CERT Advisory", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:54:51.234Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-36204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-07T19:45:28.404334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:45:31.973Z"}}], "cna": {"title": "Insufficiently Protected Credentials in Metasys ", "source": {"discovery": "INTERNAL"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Johnson Controls", "product": "Metasys ADS/ADX/OAS", "versions": [{"status": "affected", "version": "All 10 versions", "lessThan": "10.1.6", "versionType": "custom"}, {"status": "affected", "version": "All 11 versions", "lessThan": "11.0.3", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.6."}, {"lang": "en", "value": "Update all Metasys ADS/ADX/OAS 11 versions with patch 11.0.3."}], "datePublic": "2023-01-13T00:00:00.000Z", "references": [{"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06", "name": "ICS-CERT Advisory", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2023-01-13T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-36204", "state": "PUBLISHED", "dateUpdated": "2025-04-07T19:45:35.972Z", "dateReserved": "2021-07-06T00:00:00.000Z", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "datePublished": "2023-01-13T00:00:00.000Z", "assignerShortName": "jci"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD7580CF-9B2D-441F-9F87-2D3AA0972F65", "versionEndExcluding": "10.1.6", "versionStartIncluding": "10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_application_and_data_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "262BBB40-E1BB-4C89-B92F-0B43FBF0B64C", "versionEndExcluding": "11.0.3", "versionStartIncluding": "11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C3A978D-692C-4023-8A2E-B1F28B57763B", "versionEndExcluding": "10.1.6", "versionStartIncluding": "10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_extended_application_and_data_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9CD5BAD-C152-4740-B289-206777A4B918", "versionEndExcluding": "11.0.3", "versionStartIncluding": "11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA185C2A-D5DE-4346-A409-0C457D72848D", "versionEndExcluding": "10.1.6", "versionStartIncluding": "10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:johnsoncontrols:metasys_open_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5A5399D-16B3-4C4A-ADB2-791BD1449B0F", "versionEndExcluding": "11.0.3", "versionStartIncluding": "11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text."}, {"lang": "es", "value": "En algunas circunstancias, una vulnerabilidad de credenciales insuficientemente protegidas en Johnson Controls Metasys ADS/ADX/OAS versiones 10 anteriores a 10.1.6 y 11 versiones anteriores a 11.0.3 permite que las llamadas API expongan credenciales en texto plano."}], "id": "CVE-2021-36204", "lastModified": "2024-11-21T06:13:18.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "productsecurity@jci.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-13T21:15:15.360", "references": [{"source": "productsecurity@jci.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06"}, {"source": "productsecurity@jci.com", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "productsecurity@jci.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}