CVE-2021-27661

Published: Jul 1, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC.

Affected (1)

Products: Johnsoncontrols: F4 Snc Firmware

Johnsoncontrols

1 product

F4 Snc Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Johnsoncontrols F4 Snc Firmware	Version 11

Running on/with	Platform Versions
Johnsoncontrols F4 Snc	All versions

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01

Source: productsecurity@jci.com

Third Party AdvisoryUS Government Resource

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Source: productsecurity@jci.com

Vendor Advisory

https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.