← Back to CVEs

CVE-2019-7589

CRITICAL

9.8

Description

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published3/10/2020

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

johnsoncontrols:entrapass

Weaknesses (CWE)

CWE-20CWE-20

References

https://www.johnsoncontrols.com/cyber-solutions/security-advisories(productsecurity@jci.com)

https://www.us-cert.gov/ics/advisories/icsa-20-070-04(productsecurity@jci.com)

https://www.johnsoncontrols.com/cyber-solutions/security-advisories(af854a3a-2127-422b-91ae-364da2661108)

https://www.us-cert.gov/ics/advisories/icsa-20-070-04(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.