Vulnerabilites related to bosch - smart_home_controller_firmware
Vulnerability from fkie_nvd
Published
2019-05-29 21:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5",
"versionEndExcluding": "9.8.905",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CB28E5D-21D5-4DEE-8D84-FA1F4664362F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad potencial de control de acceso inapropiado en la interfaz JSON-RPC del Smart Home Controller (SHC) de Bosch anteriores de la versi\u00f3n 9.8.905, que puede conllevar a una Denegaci\u00f3n de Servicio con \u00e9xito a del SHC y los sensores y transmisores de fuerza conectados. Para aprovechar la vulnerabilidad, el adversario necesita haber emparejado con exito una aplicaci\u00f3n o servicio, que requiere interacci\u00f3n con el usuario."
}
],
"id": "CVE-2019-11895",
"lastModified": "2024-11-21T04:21:58.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T21:29:02.120",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 20:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5",
"versionEndExcluding": "9.8.905",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC\u0027s configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad potencial de control de acceso inadecuado en el JSON-RPC interfaz de BOSCH Smart Home Controller (SHC) anterior a 9.8.905 que puede dar como resultado una lectura o modificaci\u00f3n de la confifuraci\u00f3n SHC\u00b4s o activaci\u00f3n y restauraci\u00f3n de las copais de seguridad.Para poder aprovechar la vulnerabilidad, el adversario necesita haber emparejado con \u00e9xito una aplicaci\u00f3n o servicio, lo que requiere la interacci\u00f3n del usuario."
}
],
"id": "CVE-2019-11892",
"lastModified": "2024-11-21T04:21:58.300",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T20:29:00.253",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 20:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5",
"versionEndExcluding": "9.8.905",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad potencial de asignaci\u00f3n de privilegios inapropiada en la API de actualizaci\u00f3n de permisos de aplicaci\u00f3n del Smart Home Controller (SHC) de Bosch anteriores de la 9.8.905, que puede conllevar a una aplicaci\u00f3n restringida obtenga los permisos por defecto de la aplicaci\u00f3n. Para aprovechar la vulnerabilidad, el adversario necesita haber emparejado con \u00e9xito una aplicaci\u00f3n con permisos restringidos, que requiere la interacci\u00f3n del usuario."
}
],
"id": "CVE-2019-11893",
"lastModified": "2024-11-21T04:21:58.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 3.4,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T20:29:00.297",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-266"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 20:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5",
"versionEndExcluding": "9.8.905",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary\u0027s choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad potencial de asignaci\u00f3n de privilegios de asignaci\u00f3n de privilegios incorrrecta en el mecanismo de emparajamiento de las aplicaciones del controlador Bosch Smart Home (SHC) anteriores a 9.8.905 que puede conllevar a privilegios elevados de la elecci\u00f3n del adversario. Para aprovechar la vulnerabilidad el adversario neceista acceso f\u00edsico al SHC durante el ataque."
}
],
"id": "CVE-2019-11891",
"lastModified": "2024-11-21T04:21:58.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 5.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T20:29:00.207",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-266"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 21:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3C832EE-1A23-4EDE-A3D3-3DCB0D08E74C",
"versionEndExcluding": "9.8.907",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad potencial de asignaci\u00f3n de privilegios inapropiada en el mecanismo de emparejamiento de terceros (3rd party pairing) del Smart Home Controller (SHC) de Bosch anteriores de la versi\u00f3n 9.8.907, que puede conllevar a una aplicaci\u00f3n restringida obtenga los permisos de aplicaci\u00f3n por defecto. Para aprovechar la vulnerabilidad, el adversario necesita haber emparejado con exito una aplicaci\u00f3n, que requiere interacci\u00f3n con el usuario."
}
],
"id": "CVE-2019-11896",
"lastModified": "2024-11-21T04:21:58.757",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 3.4,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T21:29:02.153",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 21:29
Modified
2024-11-21 04:21
Severity ?
Summary
A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| psirt@bosch.com | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bosch | smart_home_controller_firmware | * | |
| bosch | smart_home_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5",
"versionEndExcluding": "9.8.905",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad potencial de control de acceso inapropiado en el mecanismo de copia de seguridad (backup) del Smart Home Controller (SHC) de Bosch anteriores de la versi\u00f3n 9.8.905, que puede conllevar a la descarga no autorizada de una copia de seguridad. Para explotar la vulnerabilidad, el adversario necesita descargar la copia de seguridad directamente desp\u00faes de haber completado una copia de seguridad iniciada por un usuario leg\u00edtimo."
}
],
"id": "CVE-2019-11894",
"lastModified": "2024-11-21T04:21:58.523",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 5.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "psirt@bosch.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T21:29:02.073",
"references": [
{
"source": "psirt@bosch.com",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@bosch.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-11894 (GCVE-0-2019-11894)
Vulnerability from cvelistv5
Published
2019-05-29 20:03
Modified
2024-09-17 00:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.905 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.905",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T20:03:48",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper access control in the backup mechanism of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11894",
"STATE": "PUBLIC",
"TITLE": "Improper access control in the backup mechanism of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.905"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11894",
"datePublished": "2019-05-29T20:03:48.103119Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-17T00:46:00.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11892 (GCVE-0-2019-11892)
Vulnerability from cvelistv5
Published
2019-05-29 19:55
Modified
2024-09-16 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.905 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.905",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC\u0027s configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T19:55:13",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11892",
"STATE": "PUBLIC",
"TITLE": "Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.905"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC\u0027s configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11892",
"datePublished": "2019-05-29T19:55:13.289812Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-16T17:42:58.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11896 (GCVE-0-2019-11896)
Vulnerability from cvelistv5
Published
2019-05-29 20:11
Modified
2024-09-16 19:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.907 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.907",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T20:11:00",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect pviilege assignment in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11896",
"STATE": "PUBLIC",
"TITLE": "Incorrect pviilege assignment in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.907"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11896",
"datePublished": "2019-05-29T20:11:00.829405Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-16T19:24:49.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11891 (GCVE-0-2019-11891)
Vulnerability from cvelistv5
Published
2019-05-29 19:40
Modified
2024-09-16 18:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Summary
A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.905 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.905",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary\u0027s choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T19:40:01",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect privilege assignment in the app pairing mechanism of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11891",
"STATE": "PUBLIC",
"TITLE": "Incorrect privilege assignment in the app pairing mechanism of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.905"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary\u0027s choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-266 Incorrect Privilege Assignment"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11891",
"datePublished": "2019-05-29T19:40:01.253370Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-16T18:13:51.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11895 (GCVE-0-2019-11895)
Vulnerability from cvelistv5
Published
2019-05-29 20:07
Modified
2024-09-16 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.905 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.905",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T20:07:39",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11895",
"STATE": "PUBLIC",
"TITLE": "Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.905"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a successful denial of service of the SHC and connected sensors and actuators. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11895",
"datePublished": "2019-05-29T20:07:39.228984Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-16T18:03:37.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11893 (GCVE-0-2019-11893)
Vulnerability from cvelistv5
Published
2019-05-29 19:58
Modified
2024-09-16 22:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Summary
A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Bosch | Smart Home Controller |
Version: unspecified < 9.8.905 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:29.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Smart Home Controller",
"vendor": "Bosch",
"versions": [
{
"lessThan": "9.8.905",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philip Kazmeier"
}
],
"datePublic": "2019-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-29T19:58:04",
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"shortName": "bosch"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incorrect privilege assignment in the app permission update API of the Bosch Smart Home Controller (SHC)",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@bosch.com",
"DATE_PUBLIC": "2019-05-29T12:00:00.000Z",
"ID": "CVE-2019-11893",
"STATE": "PUBLIC",
"TITLE": "Incorrect privilege assignment in the app permission update API of the Bosch Smart Home Controller (SHC)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Smart Home Controller",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.8.905"
}
]
}
}
]
},
"vendor_name": "Bosch"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Philip Kazmeier"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-266 Incorrect Privilege Assignment"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html",
"refsource": "CONFIRM",
"url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2019-11893",
"datePublished": "2019-05-29T19:58:04.150033Z",
"dateReserved": "2019-05-13T00:00:00",
"dateUpdated": "2024-09-16T22:46:47.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}