CVE-2023-28175

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-28175
Improper Authorization in SSH server in Bosch VMS 11.0, 11.1.0, and 11.1.1 allows a remote authenticated user to access resources within the trusted internal network via a port forwarding request.

7.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://psirt.bosch.com/security-advisories/BOSCH-SA-025794-bt.html Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
OR cpe:2.3:h:bosch:divar_ip_4000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_5000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_6000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r3:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:bosch:divar_ip_3000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_3000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:bosch:divar_ip_6000_firmware:11.1.1:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_6000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:bosch:divar_ip_4000_firmware:11.1.1:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_4000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:bosch:divar_ip_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_5000:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:bosch:divar_ip_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:bosch:divar_ip_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r3:-:*:*:*:*:*:*:*
History

05 Jul 2023, 13:25

Type Values Removed Values Added
References (MISC) https://psirt.bosch.com/security-advisories/BOSCH-SA-025794-bt.html - (MISC) https://psirt.bosch.com/security-advisories/BOSCH-SA-025794-bt.html - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.7
CWE CWE-863
CPE cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_6000:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_4000_firmware:11.1.1:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_3000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_4000:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_5000:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_6000_firmware:11.1.1:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_3000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r3:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000:-:*:*:*:*:*:*:*

15 Jun 2023, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-06-15 11:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-28175

Mitre link : CVE-2023-28175

CVE.ORG link : CVE-2023-28175

JSON object : View

Products Affected

bosch

  • divar_ip_6000
  • divar_ip_5000
  • divar_ip_7000_r2
  • divar_ip_3000_firmware
  • divar_ip_3000
  • divar_ip_7000_r2_firmware
  • video_management_system_viewer
  • divar_ip_4000_firmware
  • divar_ip_7000
  • divar_ip_6000_firmware
  • divar_ip_7000_r3
  • divar_ip_7000_r3_firmware
  • video_management_system
  • divar_ip_7000_firmware
  • divar_ip_5000_firmware
  • divar_ip_4000
CWE
CWE-863

Incorrect Authorization

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor