CVE Vulnerability

CVE-2019-7589

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.

10 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-04 Third Party Advisory US Government Resource
Configurations

Configuration 1

cpe:2.3:a:johnsoncontrols:entrapass:*:*:*:*:corporate:*:*:*
cpe:2.3:a:johnsoncontrols:entrapass:*:*:*:*:global:*:*:*
Information

Published : 2020-03-10 08:15

Updated : 2020-03-11 08:25

NVD link : CVE-2019-7589

Mitre link : CVE-2019-7589

Products Affected
No products.
CWE
CWE-20