CVE-2020-9050 : What You Need to Know

A Path Traversal vulnerability in Metasys Reporting Engine (MRE) Web Services versions 2.0 and 2.1 could allow remote unauthenticated attackers to access and download arbitrary files.

Understanding CVE-2020-9050

This CVE involves an improper limitation of a pathname to a restricted directory, potentially leading to unauthorized access to system files.

What is CVE-2020-9050?

CVE-2020-9050 is a security vulnerability in Johnson Controls' Metasys Reporting Engine (MRE) Web Services versions 2.0 and 2.1, allowing remote unauthenticated attackers to exploit a Path Traversal flaw.

The Impact of CVE-2020-9050

The vulnerability poses a high severity risk with a CVSS base score of 7.5, affecting confidentiality by enabling unauthorized file access.

Technical Details of CVE-2020-9050

This section delves into the specifics of the vulnerability.

Vulnerability Description

The Path Traversal flaw in Metasys Reporting Engine (MRE) Web Services versions 2.0 and 2.1 permits remote unauthenticated attackers to retrieve arbitrary files from the system.

Affected Systems and Versions

Product: Metasys Reporting Engine (MRE) Web Services versions 2.0 and 2.1
Vendor: Johnson Controls

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Confidentiality Impact: High
User Interaction: None
Privileges Required: None

Mitigation and Prevention

Protecting systems from CVE-2020-9050 requires immediate actions and long-term security practices.

Immediate Steps to Take

Upgrade to MRE v2.2 or later
Contact local branch office for remediation if licensed for MRE

Long-Term Security Practices

Regularly update software and security patches
Implement access controls and restrictions

Patching and Updates

Stay informed about security advisories and apply patches promptly to mitigate the risk of exploitation.