Vulnerability Description
An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bosch | Bosch Video Management System | <= 9.0 |
| Bosch | Video Recording Manager | <= 3.81 |
| Bosch | Divar Ip 5000 Firmware | - |
| Bosch | Divar Ip 7000 Firmware | - |
| Bosch | Access Easy Controller Firmware | <= 2.9.1.0 |
| Bosch | Access Easy Controller | - |
| Bosch | Access Professional Edition | <= 3.8.0 |
| Bosch | Building Integration System | <= 4.9 |
| Bosch | Video Recording Manager Exporter | >= 2.1, <= 2.10.0008 |
Related Weaknesses (CWE)
References
- https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.htmlVendor Advisory
- https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.htmlVendor Advisory
FAQ
What is CVE-2021-23859?
CVE-2021-23859 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to s...
How severe is CVE-2021-23859?
CVE-2021-23859 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-23859?
Check the references section above for vendor advisories and patch information. Affected products include: Bosch Bosch Video Management System, Bosch Video Recording Manager, Bosch Divar Ip 5000 Firmware, Bosch Divar Ip 7000 Firmware, Bosch Access Easy Controller Firmware.