CVE-2019-7589 CRITICAL

CVE-2019-7589: Kantech EntraPass Improper Input Validation

Vendor Johnson Controls

Product Kantech EntraPass Corporate Edition

Weakness CWE-20 · Input validation

Published March 10, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.

Key dates

02Disclosure timeline

March 10, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-7589 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2019-7589

CWE CWE-20

CVSS 9.8 / CRITICAL

Affected versions

Vendor Johnson Controls

Product Kantech EntraPass Corporate Edition

Affected versions 8.0 and prior

Vendor Johnson Controls

Product Kantech EntraPass Global Edition

Affected versions 8.0 and prior

CVE-2019-7589: Kantech EntraPass Improper Input Validation

01Description

02Disclosure timeline

03References

04Related CVE