CVE-2014-5427: Infoleak
First published: Sun Mar 29 2015(Updated: )
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read password hashes via a POST request.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnson Controls Metasys | =4.1 | |
| Johnson Controls Metasys | =6.5 | |
| Johnson Controls Application And Data Server | ||
| Johnson Controls Extended Application and Data Server | ||
| Johnson Controls Lonworks Control Server LCS8520 | ||
| Johnsoncontrols Network Automation Engine 5510-2u | ||
| Johnson Controls Network Automation Engine | ||
| Johnson Controls Network Automation Engine | ||
| Johnson Controls Network Automation Engine | ||
| Johnson Controls Network Automation Engine 5521-2 | ||
| Johnson Controls Network Integration Engine 5510-2 | ||
| Johnson Controls Network Integration Engine 5511-2 | ||
| Johnson Controls NXE8500 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-5427?
CVE-2014-5427 has been assigned a medium severity rating due to its ability to allow remote attackers to access sensitive data.
What systems are affected by CVE-2014-5427?
CVE-2014-5427 affects Johnson Controls Metasys versions 4.1 through 6.5, including various servers and control systems.
How does CVE-2014-5427 allow unauthorized access?
CVE-2014-5427 allows unauthorized remote attackers to read sensitive files due to improper access controls in the affected software.
How do I fix CVE-2014-5427?
To mitigate CVE-2014-5427, it is recommended to upgrade to the latest version of Johnson Controls Metasys that addresses this vulnerability.
Are there any workarounds for CVE-2014-5427?
As of now, the primary solution for CVE-2014-5427 is to apply available patches or updates provided by Johnson Controls.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/johnsoncontrols
- canonical/johnson controls metasys
- version/johnson controls metasys/4.1
- version/johnson controls metasys/6.5
- canonical/johnson controls application and data server
- canonical/johnson controls extended application and data server
- canonical/johnson controls lonworks control server lcs8520
- canonical/johnsoncontrols network automation engine 5510-2u
- canonical/johnson controls network integration engine 5510-2
- canonical/johnson controls network automation engine
- canonical/johnson controls network automation engine 5521-2
- canonical/johnson controls network integration engine 5511-2
- canonical/johnson controls nxe8500