CVE-2019-7589

Kantech EntraPass Improper Input Validation

Description

A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.

Remediation

Solution:

Upgrade impacted Kantech EntraPass Global and Corporate edition software to version 8.10.

References

Link	Tags
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	vendor advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-04	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2019-7589?: CVE-2019-7589 has been scored as a critical severity vulnerability.
How to fix CVE-2019-7589?: To fix CVE-2019-7589: Upgrade impacted Kantech EntraPass Global and Corporate edition software to version 8.10.
Is CVE-2019-7589 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2019-7589 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-7589?: CVE-2019-7589 affects Johnson Controls Kantech EntraPass Corporate Edition, Johnson Controls Kantech EntraPass Global Edition.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions