CVE-2021-27656: exacqVision Web Services - Information Exposure
First published: Thu Mar 18 2021(Updated: )
A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.
Credit: productsecurity@jci.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnsoncontrols Exacqvision Web Service | <=20.12.2.0 | |
| Exacq Technologies, Inc., a subsidiary of Johnson Controls exacqVision Web Service: All supported versions up to and including v20.12.02.0 |
Remedy
Upgrade all versions of exacqVision Web Service to v21.03.3 or later. Web Service 21.03.3 or later will only provide a full response to health.web info when authorized. Users can obtain the software update by downloading the update found here: https://exacq.com/support/downloads.php.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-27656?
CVE-2021-27656 is a vulnerability in exacqVision Web Service 20.12.2.0 and prior that could allow an unauthenticated attacker to view system-level information about the service and the operating system.
What is the severity of CVE-2021-27656?
The severity of CVE-2021-27656 is high, with a CVSS score of 7.5.
How can an attacker exploit CVE-2021-27656?
An attacker can exploit CVE-2021-27656 by sending a specially crafted request to the exacqVision Web Service to retrieve system-level information.
Which versions of exacqVision Web Service are affected by CVE-2021-27656?
exacqVision Web Service versions up to and including 20.12.2.0 are affected by CVE-2021-27656.
Is there a fix available for CVE-2021-27656?
Yes, it is recommended to update exacqVision Web Service to a version that is not vulnerable to CVE-2021-27656.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/author
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/softwarecombine
- agent/event
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/johnsoncontrols
- canonical/johnsoncontrols exacqvision web service
- version/johnsoncontrols exacqvision web service/20.12.2.0
- vendor/exacq technologies, inc., a subsidiary of johnson controls
- canonical/exacq technologies, inc., a subsidiary of johnson controls exacqvision web service: all supported versions up to and including v20.12.02.0