CVE-2021-36200 An unauthenticated user could access the Metasys ADS/ADX/OAS 10 web API and enumerate users.

This issue has been fixed.

In certain cases an unauthenticated user could have access to the LDAP server. This issue has been fixed.

In certain cases an unauthenticated user could bypass authentication, escalate privileges to SYSTEM, read or write data. This issue has been fixed.

In certain cases an unauthenticated user could access the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and read or write data. This issue has been fixed.

In certain cases an unauthenticated user could access the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and read or write data. This issue has been fixed.

In certain cases an unauthenticated user could access the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and read or write data. This issue has been fixed.

In certain cases an unauthenticated user could access the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and read or write data. This issue has been fixed. In certain cases an unauthenticated

New Features and Improvements

New features and improvements have been made to the LDAP server in this release.

LDAP Server:
- Fix for unauthenticated user being able to access the LDAP server.
- Improvement to authentication process.
- Fix for an unauthenticated user bypassing authentication, escalating privileges to SYSTEM, or reading or writing data.
- Fix for an unauthenticated user accessing the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and reading or writing data

Affected Software

Metasys ADS/ADX/OAS 10 versions prior to 10.1.6, 11 versions prior to 11.0.2
The following Metasys ADS/ADX/OAS components are affected by this issue:

- Metasys ADS 9.0 through 9.3
- Metasys ADX 5 through 9
- Metasys OAS 3 through 4
** The vulnerability is not present in the current version of these components **

How to Find the Affected Products

Products that may potentially be affected by this vulnerability are Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2.

Product names: Metasys ADS, ADX, OAS

Possibility of privilege escalation to SYSTEM using SSO

This issue has been fixed.

In certain cases an unauthenticated user could escalate privileges to SYSTEM using SSO and read or write data. This issue has been fixed.

In certain cases an unauthenticated user could access the LDAP server for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and read or write data.

Timeline

Published on: 07/22/2022 15:15:00 UTC
Last modified on: 07/29/2022 19:10:00 UTC

References