Rewterz Threat Advisory – Multiple Apple iOS and iPadOS Vulnerabilities
May 22, 2023Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC WS Series Vulnerability
May 22, 2023Rewterz Threat Advisory – Multiple Apple iOS and iPadOS Vulnerabilities
May 22, 2023Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC WS Series Vulnerability
May 22, 2023Severity
High
Analysis Summary
CVE-2023-2024 CVSS:10
Johnson Controls OpenBlue Enterprise Manager Data Collector could allow a remote attacker to bypass security restrictions, caused by improper authentication validation by the API calls. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVE-2023-2025 CVSS:5
Johnson Controls OpenBlue Enterprise Manager Data Collector could allow a remote authenticated attacker to obtain sensitive information, caused by improper authorization validation by the API calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Impact
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-2024
- CVE-2023-2025
Affected Vendors
Johnson Controls
Affected Products
- Johnson Controls OpenBlue Enterprise Manager Data Collector 3.2.5
Remediation
Refer to Johnson Controls Security Advisory for patch, upgrade or suggested workaround information.