Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

CVE-2022-21940 : What You Need to Know

Learn about CVE-2022-21940, a high-severity vulnerability in Johnson Controls System Configuration Tool versions 14 and 15 that could allow unauthorized access to sensitive cookies. Find out the impact, technical details, and mitigation steps.

This article provides detailed information about CVE-2022-21940, a vulnerability in Johnson Controls System Configuration Tool (SCT) that could allow unauthorized access to sensitive cookies.

Understanding CVE-2022-21940

This section delves into the impact, technical details, and mitigation strategies related to CVE-2022-21940.

What is CVE-2022-21940?

The vulnerability, known as 'Sensitive Cookie in HTTPS Session Without 'Secure' Attribute,' affects versions 14 and 15 of the Johnson Controls System Configuration Tool (SCT). Exploiting this flaw could allow threat actors to access sensitive cookies.

The Impact of CVE-2022-21940

The vulnerability's impact is rated as HIGH, with a CVSS base score of 7.5. It could lead to unauthorized access to confidential data, compromise data integrity, and disrupt system availability. The exploitation of this vulnerability falls under CAPEC-212 Functionality Misuse.

Technical Details of CVE-2022-21940

This section outlines the specifics of the vulnerability, including the affected systems, exploitation mechanism, and more.

Vulnerability Description

The vulnerability arises from the absence of the 'Secure' attribute in HTTPS session cookies within the SCT versions 14 (prior to 14.2.3) and 15 (prior to 15.0.3).

Affected Systems and Versions

Johnson Controls System Configuration Tool (SCT) versions 14 (prior to 14.2.3) and 15 (prior to 15.0.3) are affected by this vulnerability.

Exploitation Mechanism

Threat actors can exploit this vulnerability by leveraging the absence of the 'Secure' attribute in HTTPS session cookies to gain unauthorized access to sensitive data.

Mitigation and Prevention

This section discusses the steps organizations can take to mitigate the risk posed by CVE-2022-21940.

Immediate Steps to Take

Organizations are advised to update SCT version 14 with patch 14.2.3 and SCT version 15 with patch 15.0.3. It is also recommended to contact local Johnson Controls offices or Authorized Building Control Specialists (ABCS) for assistance.

Long-Term Security Practices

In the long term, organizations should prioritize regular patching and updates, security awareness training for employees, and implementing robust cybersecurity measures to prevent similar vulnerabilities.

Patching and Updates

Regularly apply security patches provided by Johnson Controls for the System Configuration Tool (SCT) to address known vulnerabilities and improve overall system security.

Popular CVEs

CVE Id

Published Date

Is your System Free of Underlying Vulnerabilities?
Find Out Now