CVE-2020-9049: victor Web Client and C•CURE Web Client JSON Web Token (JWT) Vulnerability
First published: Thu Nov 19 2020(Updated: )
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
Credit: productsecurity@jci.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnsoncontrols C-cure Web | <=2.90 | |
| Johnsoncontrols Victor Web | <=5.6 | |
| Sensormatic Electronics, LLC; a subsidiary of Johnson Controls All versions of victor Web Client up to and including v5.6 | ||
| Sensormatic Electronics, LLC; a subsidiary of Johnson Controls All versions of C•CURE Web Client up to and including v2.90 |
Remedy
victor Web Client • victor Web Client v5.6 and earlier – upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1) Registered users can obtain the software update by downloading the update found here: https://www.americandynamics.net/support/SoftwareDownloads.aspx. C•CURE Web Client C•CURE Web v2.60 and earlier - upgrade to a minimum of v2.70 and install the relevant update below. • C•CURE Web v2.70 - install the update WebClient_c2.70_5.2_Update02 • C•CURE Web v2.80 - install the update WebClient_c2.80_v5.4.1_Update04 • C•CURE Web v2.90 - install the update CCureWeb_2.90_Update01 Registered users can obtain the software update by downloading the update found here: https://swhouse.com/Support/SoftwareDownloads.aspx.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-9049?
CVE-2020-9049 is a vulnerability in specified versions of American Dynamics victor Web Client and Software House C-CURE Web Client.
How does CVE-2020-9049 affect Johnsoncontrols C-cure Web?
CVE-2020-9049 affects Johnsoncontrols C-cure Web versions up to and including 2.90.
How does CVE-2020-9049 affect Johnsoncontrols Victor Web?
CVE-2020-9049 affects Johnsoncontrols Victor Web versions up to and including 5.6.
What is the severity of CVE-2020-9049?
CVE-2020-9049 has a severity rating of 5.3 which is considered high.
How can I fix CVE-2020-9049?
To fix CVE-2020-9049, it is recommended to update to a version that is not affected by the vulnerability, as advised by Johnson Controls.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/author
- agent/remedy
- agent/title
- agent/description
- agent/references
- agent/severity
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/trending
- vendor/johnsoncontrols
- canonical/johnsoncontrols c-cure web
- version/johnsoncontrols c-cure web/2.90
- canonical/johnsoncontrols victor web
- version/johnsoncontrols victor web/5.6
- vendor/sensormatic electronics, llc; a subsidiary of johnson controls
- canonical/sensormatic electronics, llc; a subsidiary of johnson controls all versions of victor web client up to and including v5.6
- canonical/sensormatic electronics, llc; a subsidiary of johnson controls all versions of c•cure web client up to and including v2.90