CVE-2021-23859

Summary

An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859

Affected Software

VendorProductVersion RangeStatus
BoschBVMSunspecified <= 9.0.0affected
BoschBVMS11.0 < 11.0.0affected
BoschBVMS10.0 < 10.0.2affected
BoschBVMS10.1 < 10.1.1affected
BoschDIVAR IP 7000 R2allaffected
BoschDIVAR IP all-in-one 5000allaffected
BoschDIVAR IP all-in-one 7000allaffected
BoschVRMunspecified <= 3.81affected
BoschVRM4.0 <= 4.00.0070affected
BoschVRM3.83 <= 3.83.0021affected
BoschVRM3.82 <= 3.82.0057affected
BoschVRM Exporter2.1 <= 2.10.0008affected
BoschAPEunspecified <= 3.8.x.xaffected
BoschAECunspecified <= 2.9.1.xaffected
BoschBISunspecified <= 4.9affected
BoschBISunspecified <= 4.8affected
BoschBISunspecified <= 4.7affected

Weaknesses

  • CWE-703: CWE-703 Improper Check or Handling of Exceptional Conditions

ADP Enrichment

CVE Program Container

Additional References

References