CVE-2021-23859

An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859

Published: Dec 8, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-23859
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-755

Affected Software
References

Software	From	Fixed in
bosch / bosch_video_management_system	-	9.0.x
bosch / bosch_video_management_system	10.0	10.0.2
bosch / bosch_video_management_system	10.1	10.1.x
bosch / bosch_video_management_system	11.0	11.0.x
bosch / video_recording_manager	-	3.81.x
bosch / video_recording_manager	3.82	3.82.0057.x
bosch / video_recording_manager	3.83	3.83.0021.x
bosch / video_recording_manager	4.0	4.00.0070.x
bosch / access_easy_controller_firmware	-	2.9.1.0.x
bosch / video_recording_manager_exporter	2.1	2.10.0008.x
bosch / building_integration_system	-	4.9.x
bosch / access_professional_edition	-	3.8.0.x

https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html

Vulnerability Database

289,784

CVE-2021-23859