CVE-2021-36204 HIGH

CVE-2021-36204: Insufficiently Protected Credentials in Metasys

Vendor Johnson Controls
Product Metasys ADS/ADX/OAS
Weakness CWE-522 · Insufficiently protected credentials
Published January 13, 2023
Last update April 7, 2025

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

Key dates

02Disclosure timeline

January 13, 2023 CVE published
April 7, 2025 Record updated