CVE-2020-9044

HIGH

Johnson Controls Metasys Family - XML External Entity Injection

Title source: llm
STIX 2.1

Description

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
https://www.us-cert.gov/ics/advisories/icsa-20-070-05

Scores

CVSS v3 7.5
EPSS 0.0129
EPSS Percentile 66.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-611
Status published
Products (26)
johnsoncontrols/metasys_application_and_data_server < 10.1 (2 CPE variants)
johnsoncontrols/metasys_extended_application_and_data_server < 10.1
johnsoncontrols/metasys_lonworks_control_server < 10.1
johnsoncontrols/metasys_open_application_server 10.1
johnsoncontrols/metasys_open_data_server < 10.1
johnsoncontrols/metasys_system_configuration_tool < 13.2
johnsoncontrols/nae55_firmware 9.0.1
johnsoncontrols/nae55_firmware 9.0.2
johnsoncontrols/nae55_firmware 9.0.3
johnsoncontrols/nae55_firmware 9.0.5
... and 16 more
Published Mar 10, 2020
Tracked Since Feb 18, 2026