How severe is CVE-2020-9044?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2020-9044?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2020-9044 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

Related Vulnerabilities

CVE-2012-2239

CRITICAL

CVSS:9.1(Critical)

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading...

CWE-6112012

CVE-2012-3363

CRITICAL

CVSS:9.1(Critical)

Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connect...

CWE-6112012

CVE-2013-4333

CRITICAL

CVSS:9.1(Critical)

OpenPNE 3 versions 3.8.7, 3.6.11, 3.4.21.1, 3.2.7.6, 3.0.8.5 has an External Entity Injection Vulnerability

CWE-6112013

CVE-2014-0931

CRITICAL

CVSS:9.1(Critical)

Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) CM...

CWE-6112014

CVE-2016-2908

CRITICAL

CVSS:9.1(Critical)

IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker ...

CWE-6112016

CVE-2016-3974

CRITICAL

CVSS:9.1(Critical)

XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access ...

CWE-6112016