What is CVE-2022-21939?

CVE-2022-21939 is a high-severity vulnerability in Johnson Controls System Configuration Tool (Sct), classified under Sensitive Cookie Without 'HttpOnly' Flag. CVSS score: 7.5/10. Published 2023-02-09.

How severe is CVE-2022-21939?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-21939 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Johnson Controls System Configuration Tool (Sct)

CVE-2022-21939

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

EPSS: 0.002 (45.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Johnson Controls System Configuration Tool (Sct) — versions 14, 15

Weakness classification (CWE)

CWE-1004 — Sensitive Cookie Without 'HttpOnly' Flag

Public proof-of-concept exploits

karimhabush/cyberowl

References

Frequently asked questions

What is CVE-2022-21939?: CVE-2022-21939 is a high-severity vulnerability in Johnson Controls System Configuration Tool (Sct), classified under Sensitive Cookie Without 'HttpOnly' Flag. CVSS score: 7.5/10. Published 2023-02-09.
How severe is CVE-2022-21939?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-21939 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.