What is CVE-2022-21940?

CVE-2022-21940 is a high-severity vulnerability in Johnson Controls System Configuration Tool (Sct), classified under Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. CVSS score: 7.5/10. Published 2023-02-09.

How severe is CVE-2022-21940?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-21940 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Johnson Controls System Configuration Tool (Sct)

CVE-2022-21940

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

EPSS: 0.001 (31.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Johnson Controls System Configuration Tool (Sct) — versions 14, 15

Weakness classification (CWE)

CWE-614 — Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Public proof-of-concept exploits

karimhabush/cyberowl

References

Frequently asked questions

What is CVE-2022-21940?: CVE-2022-21940 is a high-severity vulnerability in Johnson Controls System Configuration Tool (Sct), classified under Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. CVSS score: 7.5/10. Published 2023-02-09.
How severe is CVE-2022-21940?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-21940 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.