XXE in Johnson Controls Metasys Application And Data Server (Ads, Ads-lite)
CVE-2020-9044
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite…
Vulnerability class: XXE (XML External Entity)
EPSS: 0.013 (66.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Johnson Controls Metasys Application And Data Server (Ads, Ads-lite) — versions versions 10.1 and prior
- Johnson Controls Metasys Extended Application And Data Server (Adx) — versions versions 10.1 and prior
- Johnson Controls Metasys Lonworks Control Server (Lcs) — versions versions 10.1 and prior
- Johnson Controls Metasys Nae85 And Nie85 — versions versions 10.1 and prior
- Johnson Controls Metasys Network Automation Engine (Nae55 Only) — versions versions 9.0.1, 9.0.2, 9.0.3
- Johnson Controls Metasys Network Integration Engine (Nie55/nie59) — versions versions 9.0.1, 9.0.2, 9.0.3
- Johnson Controls Metasys Open Application Server (Oas) — versions version 10.1
- Johnson Controls Metasys Open Data Server (Ods) — versions versions 10.1 and prior
- Johnson Controls Metasys Smoke Control Network Automation Engine (Nae55, Ul 864 Uukl/ord-c100-13 Uuklc 10th Edition Listed) — versions version 8.1
- Johnson Controls Metasys System Configuration Tool (Sct) — versions versions 13.2 and prior
Weakness classification (CWE)
References
- productsecurity@jci.com (x_refsource_CONFIRM, Vendor Advisory)
- productsecurity@jci.com (US Government Resource, Third Party Advisory, x_refsource_CERT, third-party-advisory)
Frequently asked questions
- What is CVE-2020-9044?
- CVE-2020-9044 is a high-severity vulnerability in Johnson Controls Metasys Application And Data Server (Ads, Ads-lite), classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2020-03-10.
- How severe is CVE-2020-9044?
- High severity. CVSS v3 base score is 7.5 out of 10.