CVE-2022-21940

NVD

https://nvd.nist.gov/vuln/detail/CVE-2022-21940

CWE

https://cwe.mitre.org/data/definitions/614.html

Sensitive Cookie in HTTPS Session Without Secure Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

Weakness

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Affected Software

Name	Vendor	Start Version	End Version
Metasys_system_configuration_tool	Johnsoncontrols	14.0 (including)	14.2.3 (excluding)
Metasys_system_configuration_tool	Johnsoncontrols	15.0 (including)	15.0.3 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/102.html

References

https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References