CVE-2019-11894 - A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart

CVE-2019-11894

Summary

A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in unauthorized download of a backup. In order to exploit the vulnerability, the adversary needs to download the backup directly after a backup triggered by a legitimate user has been completed.

References

https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html

Vulnerable Configurations

cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*

CVSS

Base:	2.9 (as of 06-10-2020 - 14:41)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
ADJACENT_NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:A/AC:M/Au:N/C:P/I:N/A:N

refmap via4

confirm

https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html

Last major update

06-10-2020 - 14:41

Published

29-05-2019 - 21:29

Last modified

06-10-2020 - 14:41