Lucene search

[email protected]NVD:CVE-2019-8952

HistoryMay 13, 2019 - 10:29 p.m.

CVE-2019-8952

2019-05-1322:29:01

CWE-22

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

60.4%

JSON

A Path Traversal vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote authorized user to access arbitrary files on the system via the network interface. Affected hardware products: Bosch DIVAR IP 2000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.62.0019 and newer), Bosch DIVAR IP 5000 (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; fixed versions: 3.80.0033 and newer). Affected software products: Video Recording Manager (VRM) (vulnerable versions: 3.10; 3.20; 3.21; 3.50; 3.51; 3.55; 3.60; 3.61; 3.62; 3.70; 3.71 before 3.71.0032 ; fixed versions: 3.71.0032; 3.81.0032 and newer), Bosch Video Management System (BVMS) (vulnerable versions: 3.50.00XX; 3.55.00XX; 3.60.00XX; 3.70.0056; fixed versions: 7.5; 3.71.0032).

Affected configurations

Nvd

Node

boschdivar_ip_2000_firmwareRange<3.62.0019

AND

boschdivar_ip_2000Match-

Node

boschdivar_ip_5000_firmwareRange<3.80.0033

AND

boschdivar_ip_5000Match-

Node

boschvideo_management_systemRange<3.71.0032

boschvideo_recording_managerRange<3.71.0032

boschvideo_recording_managerRange3.81–3.81.0032

VendorProductVersionCPE
boschdivar_ip_2000_firmware*cpe:2.3:o:bosch:divar_ip_2000_firmware:*:*:*:*:*:*:*:*
boschdivar_ip_2000-cpe:2.3:h:bosch:divar_ip_2000:-:*:*:*:*:*:*:*
boschdivar_ip_5000_firmware*cpe:2.3:o:bosch:divar_ip_5000_firmware:*:*:*:*:*:*:*:*
boschdivar_ip_5000-cpe:2.3:h:bosch:divar_ip_5000:-:*:*:*:*:*:*:*
boschvideo_management_system*cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
boschvideo_recording_manager*cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
bosch	divar_ip_2000_firmware	*	cpe:2.3:o:bosch:divar_ip_2000_firmware::::::::
bosch	divar_ip_2000	-	cpe:2.3:h:bosch:divar_ip_2000:-:::::::*
bosch	divar_ip_5000_firmware	*	cpe:2.3:o:bosch:divar_ip_5000_firmware::::::::
bosch	divar_ip_5000	-	cpe:2.3:h:bosch:divar_ip_5000:-:::::::*
bosch	video_management_system	*	cpe:2.3:a:bosch:video_management_system::::::::
bosch	video_recording_manager	*	cpe:2.3:a:bosch:video_recording_manager::::::::

References

media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0402bt-cve-2019-8952_security_advisory_vrm_path_traversal.pdf

psirt.bosch.com

psirt.bosch.com/Advisory/BOSCH-2019-0402.html

www.boschsecurity.com/xc/en/support/product-security/security-advisories.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

60.4%

JSON

Related for NVD:CVE-2019-8952

cve1 cvelist1 prion1