CVE-2023-35867

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-35867
An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. To exploit this vulnerability an attacker has to replace an existing API server e.g. through Man-in-the-Middle attacks.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:bosch:building_integration_system_video_engine:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:bosch:configuration_manager:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_4000:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_6000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000_r3:-:*:*:*:*:*:*:*

Configuration 11 (hide)

cpe:2.3:a:bosch:intelligent_insights:*:*:*:*:*:*:*:*

Configuration 12 (hide)

cpe:2.3:a:bosch:_onvif_camera_event_driver_tool:*:*:*:*:*:*:*:*

Configuration 13 (hide)

cpe:2.3:a:bosch:project_assistant:*:*:*:*:*:*:*:*

Configuration 14 (hide)

cpe:2.3:a:bosch:video_security_client:*:*:*:*:*:*:*:*
History

22 Dec 2023, 20:13

Type Values Removed Values Added
CWE NVD-CWE-Other
References () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - Vendor Advisory
First Time Bosch divar Ip All-in-one 4000 Firmware
Bosch building Integration System Video Engine
Bosch divar Ip All-in-one 7000 Firmware
Bosch divar Ip 7000 R2 Firmware
Bosch Onvif Camera Event Driver Tool
Bosch video Management System Viewer
Bosch
Bosch divar Ip All-in-one 5000
Bosch divar Ip All-in-one 7000 R3
Bosch project Assistant
Bosch divar Ip All-in-one 6000
Bosch divar Ip All-in-one 4000
Bosch divar Ip All-in-one 7000
Bosch video Security Client
Bosch divar Ip All-in-one 6000 Firmware
Bosch configuration Manager
Bosch bosch Video Management System
Bosch divar Ip All-in-one 7000 R3 Firmware
Bosch divar Ip All-in-one 5000 Firmware
Bosch divar Ip 7000 R2
Bosch intelligent Insights
Summary
  • (es) Un manejo inadecuado de paquetes de respuesta API con formato incorrecto para clientes API en productos de software Bosch BT puede permitir que un atacante no autenticado provoque una situación de denegación de servicio (DoS). Para aprovechar esta vulnerabilidad, un atacante debe reemplazar un servidor API existente, por ejemplo mediante ataques Man-in-the-Middle.
CPE cpe:2.3:a:bosch:configuration_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:_onvif_camera_event_driver_tool:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_security_client:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:project_assistant:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000_r3:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_6000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_4000:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:intelligent_insights:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:building_integration_system_video_engine:*:*:*:*:*:*:*:*

18 Dec 2023, 14:05

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-18 13:15

Updated : 2023-12-22 20:13

NVD link : CVE-2023-35867

Mitre link : CVE-2023-35867

CVE.ORG link : CVE-2023-35867

JSON object : View

Products Affected

bosch

  • _onvif_camera_event_driver_tool
  • divar_ip_all-in-one_6000
  • divar_ip_all-in-one_7000_r3
  • building_integration_system_video_engine
  • divar_ip_all-in-one_6000_firmware
  • video_security_client
  • configuration_manager
  • divar_ip_all-in-one_5000
  • divar_ip_7000_r2
  • divar_ip_all-in-one_7000
  • divar_ip_all-in-one_5000_firmware
  • intelligent_insights
  • divar_ip_all-in-one_7000_firmware
  • divar_ip_7000_r2_firmware
  • divar_ip_all-in-one_4000
  • divar_ip_all-in-one_4000_firmware
  • divar_ip_all-in-one_7000_r3_firmware
  • bosch_video_management_system
  • video_management_system_viewer
  • project_assistant
CWE
NVD-CWE-Other CWE-703

Improper Check or Handling of Exceptional Conditions