Lucene search

[email protected]NVD:CVE-2021-23861

HistoryDec 08, 2021 - 10:15 p.m.

CVE-2021-23861

2021-12-0822:15:08

CWE-489

[email protected]

web.nvd.nist.gov

special command

admin user

extended debug functionality

software integrity

availability

divar ip

bvms with vrm

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

35.0%

JSON

By executing a special command, an user with administrative rights can get access to extended debug functionality on the VRM allowing an impact on integrity or availability of the installed software. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.

Affected configurations

Nvd

Node

boschbosch_video_management_systemRange≤9.0

boschbosch_video_management_systemRange10.0–10.0.2

boschbosch_video_management_systemMatch10.1

boschbosch_video_management_systemMatch11.0

boschvideo_recording_managerRange≤3.81

boschvideo_recording_managerRange3.82–3.82.0057

boschvideo_recording_managerRange3.83–3.83.0021

boschvideo_recording_managerRange4.0–4.00.0070

AND

boschdivar_ip_5000_firmwareMatch-

boschdivar_ip_7000_firmwareMatch-

VendorProductVersionCPE
boschbosch_video_management_system*cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
boschbosch_video_management_system10.1cpe:2.3:a:bosch:bosch_video_management_system:10.1:*:*:*:*:*:*:*
boschbosch_video_management_system11.0cpe:2.3:a:bosch:bosch_video_management_system:11.0:*:*:*:*:*:*:*
boschvideo_recording_manager*cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
boschdivar_ip_5000_firmware-cpe:2.3:o:bosch:divar_ip_5000_firmware:-:*:*:*:*:*:*:*
boschdivar_ip_7000_firmware-cpe:2.3:o:bosch:divar_ip_7000_firmware:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
bosch	bosch_video_management_system	*	cpe:2.3:a:bosch:bosch_video_management_system::::::::
bosch	bosch_video_management_system	10.1	cpe:2.3:a:bosch:bosch_video_management_system:10.1:::::::*
bosch	bosch_video_management_system	11.0	cpe:2.3:a:bosch:bosch_video_management_system:11.0:::::::*
bosch	video_recording_manager	*	cpe:2.3:a:bosch:video_recording_manager::::::::
bosch	divar_ip_5000_firmware	-	cpe:2.3:o:bosch:divar_ip_5000_firmware:-:::::::*
bosch	divar_ip_7000_firmware	-	cpe:2.3:o:bosch:divar_ip_7000_firmware:-:::::::*

References

psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

35.0%

JSON

Related for NVD:CVE-2021-23861

cve1 cvelist1 prion1