CVE-2021-23859

An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:10.1:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:11.0:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
OR cpe:2.3:o:bosch:divar_ip_5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_7000_firmware:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:bosch:access_easy_controller_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:access_easy_controller:-:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:bosch:access_professional_edition:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:building_integration_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager_exporter:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:51

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 9.1
References () https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html - Vendor Advisory () https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html - Vendor Advisory

14 Dec 2021, 16:33

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CWE CWE-755
References (CONFIRM) https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html - (CONFIRM) https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html - Vendor Advisory
CPE cpe:2.3:o:bosch:divar_ip_7000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:access_professional_edition:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_5000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:10.1:*:*:*:*:*:*:*
cpe:2.3:h:bosch:access_easy_controller:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:11.0:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:building_integration_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_recording_manager_exporter:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:access_easy_controller_firmware:*:*:*:*:*:*:*:*

08 Dec 2021, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-12-08 22:15

Updated : 2024-11-21 05:51


NVD link : CVE-2021-23859

Mitre link : CVE-2021-23859

CVE.ORG link : CVE-2021-23859


JSON object : View

Products Affected

bosch

  • video_recording_manager_exporter
  • bosch_video_management_system
  • divar_ip_5000_firmware
  • video_recording_manager
  • divar_ip_7000_firmware
  • building_integration_system
  • access_easy_controller_firmware
  • access_easy_controller
  • access_professional_edition
CWE
CWE-703

Improper Check or Handling of Exceptional Conditions

CWE-755

Improper Handling of Exceptional Conditions