Vulnerability Description
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Johnsoncontrols | C-Cure Web | <= 2.90 |
| Johnsoncontrols | Victor Web | <= 5.6 |
Related Weaknesses (CWE)
References
- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01PatchThird Party AdvisoryUS Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01PatchThird Party AdvisoryUS Government Resource
- https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01PatchThird Party AdvisoryUS Government Resource
- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01PatchThird Party AdvisoryUS Government Resource
- https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
FAQ
What is CVE-2020-9049?
CVE-2020-9049 is a vulnerability with a CVSS score of 7.1 (HIGH). A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JS...
How severe is CVE-2020-9049?
CVE-2020-9049 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9049?
Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols C-Cure Web, Johnsoncontrols Victor Web.