CVE-2019-11892 - A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smar

CVE-2019-11892

Summary

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary needs to have successfully paired an app or service, which requires user interaction.

References

https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html

Vulnerable Configurations

cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 06-10-2020 - 14:39)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

confirm

https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html

Last major update

06-10-2020 - 14:39

Published

29-05-2019 - 20:29

Last modified

06-10-2020 - 14:39