Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for building_integration_system by bosch

    CVE-2023-29241 (GCVE-0-2023-29241)

    Vulnerability from nvd – Published: 2023-06-30 00:00 – Updated: 2024-11-26 19:59
    VLAI
    Summary
    Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1112 - Incomplete Documentation of Program Execution
    Assigner
    Impacted products
    Vendor Product Version
    Bosch BIS Affected: 5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.894Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-988400-BT.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-26T19:59:44.994388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-26T19:59:56.176Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1112",
                  "description": "CWE-1112 Incomplete Documentation of Program Execution",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-30T00:00:00.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-988400-BT.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2023-29241",
        "datePublished": "2023-06-30T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2024-11-26T19:59:56.176Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23843 (GCVE-0-2021-23843)

    Vulnerability from nvd – Published: 2022-01-19 20:38 – Updated: 2024-09-16 23:01
    VLAI
    Title
    Lack of authentication mechanisms on the device
    Summary
    The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch AMS Affected: unspecified , < 4.0 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , < 4.9.1 (custom)
    Create a notification for this product.
    Bosch AMC2 Affected: all
    Create a notification for this product.
    Date Public
    2022-01-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "AMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AMC2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "datePublic": "2022-01-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\\\u0027s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-19T20:38:55.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-940448-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Lack of authentication mechanisms on the device",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2022-01-19",
              "ID": "CVE-2021-23843",
              "STATE": "PUBLIC",
              "TITLE": "Lack of authentication mechanisms on the device"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "AMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AMC2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\\\u0027s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-306 Missing Authentication for Critical Function"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-940448-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23843",
        "datePublished": "2022-01-19T20:38:55.465Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:01:30.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23842 (GCVE-0-2021-23842)

    Vulnerability from nvd – Published: 2022-01-19 20:38 – Updated: 2024-09-16 21:56
    VLAI
    Title
    Use of Hard-coded Cryptographic Key
    Summary
    Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\'s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet.
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch AMS Affected: unspecified , < 4.0 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , < 4.9.1 (custom)
    Create a notification for this product.
    Bosch AMC2 Affected: all
    Create a notification for this product.
    Date Public
    2022-01-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "AMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AMC2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "datePublic": "2022-01-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\\\u0027s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-19T20:38:54.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-940448-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Use of Hard-coded Cryptographic Key",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2022-01-19",
              "ID": "CVE-2021-23842",
              "STATE": "PUBLIC",
              "TITLE": "Use of Hard-coded Cryptographic Key"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "AMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AMC2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\\\u0027s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-321 Use of Hard-coded Cryptographic Key"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-940448-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23842",
        "datePublished": "2022-01-19T20:38:54.368Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:56:51.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23859 (GCVE-0-2021-23859)

    Vulnerability from nvd – Published: 2021-12-08 21:17 – Updated: 2024-09-16 19:45
    VLAI
    Title
    Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products
    Summary
    An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
    CWE
    • CWE-703 - Improper Check or Handling of Exceptional Conditions
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch BVMS Affected: unspecified , ≤ 9.0.0 (custom)
    Affected: 11.0 , < 11.0.0 (custom)
    Affected: 10.0 , < 10.0.2 (custom)
    Affected: 10.1 , < 10.1.1 (custom)
    Create a notification for this product.
    Bosch DIVAR IP 7000 R2 Affected: all
    Create a notification for this product.
    Bosch DIVAR IP all-in-one 5000 Affected: all
    Create a notification for this product.
    Bosch DIVAR IP all-in-one 7000 Affected: all
    Create a notification for this product.
    Bosch VRM Affected: unspecified , ≤ 3.81 (custom)
    Affected: 4.0 , ≤ 4.00.0070 (custom)
    Affected: 3.83 , ≤ 3.83.0021 (custom)
    Affected: 3.82 , ≤ 3.82.0057 (custom)
    Create a notification for this product.
    Bosch VRM Exporter Affected: 2.1 , ≤ 2.10.0008 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x.x (custom)
    Create a notification for this product.
    Bosch AEC Affected: unspecified , ≤ 2.9.1.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , ≤ 4.9 (custom)
    Affected: unspecified , ≤ 4.8 (custom)
    Affected: unspecified , ≤ 4.7 (custom)
    Create a notification for this product.
    Date Public
    2021-12-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.402Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BVMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "9.0.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "10.0.2",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "10.1.1",
                  "status": "affected",
                  "version": "10.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "DIVAR IP 7000 R2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "DIVAR IP all-in-one 5000",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "DIVAR IP all-in-one 7000",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "VRM",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.00.0070",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.83.0021",
                  "status": "affected",
                  "version": "3.83",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.82.0057",
                  "status": "affected",
                  "version": "3.82",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "VRM Exporter",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "2.10.0008",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AEC",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.1.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "4.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-703",
                  "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T21:17:23.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-043434-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2021-12-08",
              "ID": "CVE-2021-23859",
              "STATE": "PUBLIC",
              "TITLE": "Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BVMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "11.0",
                                "version_value": "11.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "10.0",
                                "version_value": "10.0.2"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "10.1",
                                "version_value": "10.1.1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "9.0.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP 7000 R2",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP all-in-one 5000",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS or VRM version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP all-in-one 7000",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS or VRM version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VRM",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "4.0",
                                "version_value": "4.00.0070"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.83",
                                "version_value": "3.83.0021"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.82",
                                "version_value": "3.82.0057"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VRM Exporter",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "2.1",
                                "version_value": "2.10.0008"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AEC",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.9.1.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.9"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.8"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-703 Improper Check or Handling of Exceptional Conditions"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-043434-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23859",
        "datePublished": "2021-12-08T21:17:23.528Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:45:43.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-6958 (GCVE-0-2019-6958)

    Vulnerability from nvd – Published: 2019-05-29 18:47 – Updated: 2024-09-17 00:46
    VLAI
    Title
    Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems
    Summary
    A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-03-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:31:04.392Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-03-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as \"CWE-284: Improper Access Control.\" This vulnerability, for example, allows a potential attacker to delete video or read video data."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T18:47:37.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. \n\nFor further informatation please check the published security advisory."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems",
          "x_generator": {
            "engine": "Vulnogram 0.0.6"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_PUBLIC": "2019-03-04T23:00:00.000Z",
              "ID": "CVE-2019-6958",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as \"CWE-284: Improper Access Control.\" This vulnerability, for example, allows a potential attacker to delete video or read video data."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.6"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. \n\nFor further informatation please check the published security advisory."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-6958",
        "datePublished": "2019-05-29T18:47:37.354Z",
        "dateReserved": "2019-01-25T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:46:00.474Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-6957 (GCVE-0-2019-6957)

    Vulnerability from nvd – Published: 2019-05-29 18:55 – Updated: 2024-09-16 16:38
    VLAI
    Title
    Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems
    Summary
    A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-04-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:31:04.396Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T18:55:20.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "In cases where a software update is not possible, a reduction in the system\u2019s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. \n\nFor further informatation please check the published security advisory."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems",
          "x_generator": {
            "engine": "Vulnogram 0.0.6"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_PUBLIC": "2019-04-04T22:00:00.000Z",
              "ID": "CVE-2019-6957",
              "STATE": "PUBLIC",
              "TITLE": "Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.6"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "In cases where a software update is not possible, a reduction in the system\u2019s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. \n\nFor further informatation please check the published security advisory."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-6957",
        "datePublished": "2019-05-29T18:55:20.387Z",
        "dateReserved": "2019-01-25T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:38:39.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29241 (GCVE-0-2023-29241)

    Vulnerability from cvelistv5 – Published: 2023-06-30 00:00 – Updated: 2024-11-26 19:59
    VLAI
    Summary
    Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1112 - Incomplete Documentation of Program Execution
    Assigner
    Impacted products
    Vendor Product Version
    Bosch BIS Affected: 5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:00:15.894Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-988400-BT.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-26T19:59:44.994388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-26T19:59:56.176Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Information in Cybersecurity Guidebook in Bosch Building Integration System (BIS) 5.0 may lead to wrong configuration which allows local users to access data via network"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1112",
                  "description": "CWE-1112 Incomplete Documentation of Program Execution",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-30T00:00:00.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-988400-BT.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2023-29241",
        "datePublished": "2023-06-30T00:00:00.000Z",
        "dateReserved": "2023-06-01T00:00:00.000Z",
        "dateUpdated": "2024-11-26T19:59:56.176Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23843 (GCVE-0-2021-23843)

    Vulnerability from cvelistv5 – Published: 2022-01-19 20:38 – Updated: 2024-09-16 23:01
    VLAI
    Title
    Lack of authentication mechanisms on the device
    Summary
    The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch AMS Affected: unspecified , < 4.0 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , < 4.9.1 (custom)
    Create a notification for this product.
    Bosch AMC2 Affected: all
    Create a notification for this product.
    Date Public
    2022-01-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.225Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "AMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AMC2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "datePublic": "2022-01-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\\\u0027s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-19T20:38:55.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-940448-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Lack of authentication mechanisms on the device",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2022-01-19",
              "ID": "CVE-2021-23843",
              "STATE": "PUBLIC",
              "TITLE": "Lack of authentication mechanisms on the device"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "AMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AMC2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\\\u0027s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-306 Missing Authentication for Critical Function"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-940448-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23843",
        "datePublished": "2022-01-19T20:38:55.465Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:01:30.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23842 (GCVE-0-2021-23842)

    Vulnerability from cvelistv5 – Published: 2022-01-19 20:38 – Updated: 2024-09-16 21:56
    VLAI
    Title
    Use of Hard-coded Cryptographic Key
    Summary
    Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\'s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet.
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch AMS Affected: unspecified , < 4.0 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , < 4.9.1 (custom)
    Create a notification for this product.
    Bosch AMC2 Affected: all
    Create a notification for this product.
    Date Public
    2022-01-19 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.336Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "AMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThan": "4.9.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AMC2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "datePublic": "2022-01-19T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\\\u0027s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-19T20:38:54.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-940448-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Use of Hard-coded Cryptographic Key",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2022-01-19",
              "ID": "CVE-2021-23842",
              "STATE": "PUBLIC",
              "TITLE": "Use of Hard-coded Cryptographic Key"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "AMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.9.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AMC2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\\\u0027s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-321 Use of Hard-coded Cryptographic Key"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-940448-BT.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-940448-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23842",
        "datePublished": "2022-01-19T20:38:54.368Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T21:56:51.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-23859 (GCVE-0-2021-23859)

    Vulnerability from cvelistv5 – Published: 2021-12-08 21:17 – Updated: 2024-09-16 19:45
    VLAI
    Title
    Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products
    Summary
    An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
    CWE
    • CWE-703 - Improper Check or Handling of Exceptional Conditions
    Assigner
    References
    Impacted products
    Vendor Product Version
    Bosch BVMS Affected: unspecified , ≤ 9.0.0 (custom)
    Affected: 11.0 , < 11.0.0 (custom)
    Affected: 10.0 , < 10.0.2 (custom)
    Affected: 10.1 , < 10.1.1 (custom)
    Create a notification for this product.
    Bosch DIVAR IP 7000 R2 Affected: all
    Create a notification for this product.
    Bosch DIVAR IP all-in-one 5000 Affected: all
    Create a notification for this product.
    Bosch DIVAR IP all-in-one 7000 Affected: all
    Create a notification for this product.
    Bosch VRM Affected: unspecified , ≤ 3.81 (custom)
    Affected: 4.0 , ≤ 4.00.0070 (custom)
    Affected: 3.83 , ≤ 3.83.0021 (custom)
    Affected: 3.82 , ≤ 3.82.0057 (custom)
    Create a notification for this product.
    Bosch VRM Exporter Affected: 2.1 , ≤ 2.10.0008 (custom)
    Create a notification for this product.
    Bosch APE Affected: unspecified , ≤ 3.8.x.x (custom)
    Create a notification for this product.
    Bosch AEC Affected: unspecified , ≤ 2.9.1.x (custom)
    Create a notification for this product.
    Bosch BIS Affected: unspecified , ≤ 4.9 (custom)
    Affected: unspecified , ≤ 4.8 (custom)
    Affected: unspecified , ≤ 4.7 (custom)
    Create a notification for this product.
    Date Public
    2021-12-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:09.402Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "BVMS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "9.0.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "11.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "10.0.2",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "10.1.1",
                  "status": "affected",
                  "version": "10.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "DIVAR IP 7000 R2",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "DIVAR IP all-in-one 5000",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "DIVAR IP all-in-one 7000",
              "vendor": "Bosch",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "VRM",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.81",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.00.0070",
                  "status": "affected",
                  "version": "4.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.83.0021",
                  "status": "affected",
                  "version": "3.83",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.82.0057",
                  "status": "affected",
                  "version": "3.82",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "VRM Exporter",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "2.10.0008",
                  "status": "affected",
                  "version": "2.1",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "APE",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "3.8.x.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "AEC",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.1.x",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "BIS",
              "vendor": "Bosch",
              "versions": [
                {
                  "lessThanOrEqual": "4.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "4.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-703",
                  "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T21:17:23.000Z",
            "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
            "shortName": "bosch"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
            }
          ],
          "source": {
            "advisory": "BOSCH-SA-043434-BT",
            "discovery": "EXTERNAL"
          },
          "title": "Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@bosch.com",
              "DATE_PUBLIC": "2021-12-08",
              "ID": "CVE-2021-23859",
              "STATE": "PUBLIC",
              "TITLE": "Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "BVMS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "11.0",
                                "version_value": "11.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "10.0",
                                "version_value": "10.0.2"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_name": "10.1",
                                "version_value": "10.1.1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "9.0.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP 7000 R2",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP all-in-one 5000",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS or VRM version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "DIVAR IP all-in-one 7000",
                          "version": {
                            "version_data": [
                              {
                                "configuration": "using vulnerable BVMS or VRM version",
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VRM",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "4.0",
                                "version_value": "4.00.0070"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.83",
                                "version_value": "3.83.0021"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_name": "3.82",
                                "version_value": "3.82.0057"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.81"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VRM Exporter",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "2.1",
                                "version_value": "2.10.0008"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "APE",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.8.x.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "AEC",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.9.1.x"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "BIS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.9"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.8"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Bosch"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-703 Improper Check or Handling of Exceptional Conditions"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html",
                  "refsource": "CONFIRM",
                  "url": "https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html"
                }
              ]
            },
            "source": {
              "advisory": "BOSCH-SA-043434-BT",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
        "assignerShortName": "bosch",
        "cveId": "CVE-2021-23859",
        "datePublished": "2021-12-08T21:17:23.528Z",
        "dateReserved": "2021-01-12T00:00:00.000Z",
        "dateUpdated": "2024-09-16T19:45:43.543Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-6957 (GCVE-0-2019-6957)

    Vulnerability from cvelistv5 – Published: 2019-05-29 18:55 – Updated: 2024-09-16 16:38
    VLAI
    Title
    Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems
    Summary
    A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-04-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:31:04.396Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-04-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T18:55:20.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "In cases where a software update is not possible, a reduction in the system\u2019s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. \n\nFor further informatation please check the published security advisory."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems",
          "x_generator": {
            "engine": "Vulnogram 0.0.6"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_PUBLIC": "2019-04-04T22:00:00.000Z",
              "ID": "CVE-2019-6957",
              "STATE": "PUBLIC",
              "TITLE": "Buffer Overflow for Bosch Video Systems, PSIM and Access Control Systems"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Video Recording Manager (VRM), Video Streaming Gateway (VSG), Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The vulnerability potentially allows the unauthorized execution of code in the system via the network interface."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.6"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0403bt-cve-2019-6957_security_advisory_software_buffer_overflow.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "In cases where a software update is not possible, a reduction in the system\u2019s network exposure is advised. Internet-accessible installations should be firewalled, whilst additional steps like network isolation by VLAN, IP filtering features of the devices and other technologies should be used to decrease the exposure of vulnerable systems. In addition the firewall on the hosts shall be activated and set according to BVMS and BIS configuration manual. \n\nFor further informatation please check the published security advisory."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-6957",
        "datePublished": "2019-05-29T18:55:20.387Z",
        "dateReserved": "2019-01-25T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:38:39.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-6958 (GCVE-0-2019-6958)

    Vulnerability from cvelistv5 – Published: 2019-05-29 18:47 – Updated: 2024-09-17 00:46
    VLAI
    Title
    Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems
    Summary
    A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-03-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:31:04.392Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-03-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as \"CWE-284: Improper Access Control.\" This vulnerability, for example, allows a potential attacker to delete video or read video data."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-05-29T18:47:37.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. \n\nFor further informatation please check the published security advisory."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems",
          "x_generator": {
            "engine": "Vulnogram 0.0.6"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "DATE_PUBLIC": "2019-03-04T23:00:00.000Z",
              "ID": "CVE-2019-6958",
              "STATE": "PUBLIC",
              "TITLE": "Improper Access Control for Bosch Video Systems, PSIM and Access Control Systems"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as \"CWE-284: Improper Access Control.\" This vulnerability, for example, allows a potential attacker to delete video or read video data."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.6"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf",
                  "refsource": "CONFIRM",
                  "url": "https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "The recommended approach is to update the software to a fixed version as soon as possible. Until a fixed software version is installed, the mitigation approaches firewalling, and IP filtering can be utilized. \n\nFor further informatation please check the published security advisory."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-6958",
        "datePublished": "2019-05-29T18:47:37.354Z",
        "dateReserved": "2019-01-25T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:46:00.474Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }