CVE-2019-6958

EPSS 0.33%
Veröffentlicht 29.05.2019 19:29:00
Zuletzt bearbeitet 21.11.2024 04:47:18
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A recently discovered security vulnerability affects all Bosch Video Management System (BVMS) versions 9.0 and below, DIVAR IP 2000, 3000, 5000 and 7000, Configuration Manager, Building Integration System (BIS) with Video Engine, Access Professional Edition (APE), Access Easy Controller (AEC), Bosch Video Client (BVC) and Video SDK (VSDK). The RCP+ network port allows access without authentication. Adding authentication feature to the respective library fixes the issue. The issue is classified as "CWE-284: Improper Access Control." This vulnerability, for example, allows a potential attacker to delete video or read video data.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bosch ≫ Access Professional Edition Version >= 3.0 <= 3.7

Bosch ≫ Bosch Video Client Version < 1.7.6.079

Bosch ≫ Bosch Video Management System Version <= 9.0

Bosch ≫ Building Integration System Version >= 2.2 <= 4.4

Bosch ≫ Building Integration System Version4.5

Bosch ≫ Building Integration System Version4.6

Bosch ≫ Building Integration System Version4.6.1

Bosch ≫ Configuration Manager Version < 6.10

Bosch ≫ Video Sdk Version < 6.32.0099

Bosch ≫ Dip 2000 Firmware Version < 0380.037

Bosch ≫ Dip 2000 Version-

Bosch ≫ Dip 3000 Firmware Version-

Bosch ≫ Dip 3000 Version-

Bosch ≫ Dip 5000 Firmware Version < 038.037

Bosch ≫ Dip 5000 Version-

Bosch ≫ Dip 7000 Firmware Version-

Bosch ≫ Dip 7000 Versiongen1
Bosch ≫ Dip 7000 Versiongen2

Bosch ≫ Access Easy Controller Firmware Version2.1.8.5

Bosch ≫ Access Easy Controller Version-

Bosch ≫ Access Easy Controller Firmware Version2.1.9.0

Bosch ≫ Access Easy Controller Version-

Bosch ≫ Access Easy Controller Firmware Version2.1.9.1

Bosch ≫ Access Easy Controller Version-

Bosch ≫ Access Easy Controller Firmware Version2.1.9.3

Bosch ≫ Access Easy Controller Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.552

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N
cve@mitre.org	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-2019-0404bt-cve-2019-6958_security_advisory_improper_access_control.pdf

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2019-6958

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-6958

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-6958

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-6958