Sign-up

ID

VAR-201905-0917


CVE

CVE-2019-11891


TITLE

Bosch Smart Home Controller Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2019-004948

DESCRIPTION

A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack

Trust: 1.62

sources: NVD: CVE-2019-11891 // JVNDB: JVNDB-2019-004948

IOT TAXONOMY

category:['home & office device']sub_category:smart home controller

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:boschmodel:smart home controllerscope:ltversion:9.8.905

Trust: 1.0

vendor:robert boschmodel:smart home controllerscope:ltversion:9.8.905

Trust: 0.8

sources: JVNDB: JVNDB-2019-004948 // NVD: CVE-2019-11891

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11891
value: HIGH

Trust: 1.0

psirt@bosch.com: CVE-2019-11891
value: HIGH

Trust: 1.0

NVD: CVE-2019-11891
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-1082
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-11891
severity: MEDIUM
baseScore: 5.4
vectorString: AV:A/AC:M/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

psirt@bosch.com: CVE-2019-11891
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-11891
baseSeverity: HIGH
baseScore: 8.0
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.1
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: JVNDB: JVNDB-2019-004948 // CNNVD: CNNVD-201905-1082 // NVD: CVE-2019-11891 // NVD: CVE-2019-11891

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-266

Trust: 1.0

problemtype:CWE-264

Trust: 0.8

sources: JVNDB: JVNDB-2019-004948 // NVD: CVE-2019-11891

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201905-1082

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201905-1082

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-004948

PATCH
title:BOSCH-SA-662084url:https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html
Trust: 0.8
title:Bosch Smart Home Controller Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93035
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-004948 // 
            
            
            
            CNNVD: CNNVD-201905-1082

EXTERNAL IDS
db:NVDid:CVE-2019-11891
Trust: 2.5
db:JVNDBid:JVNDB-2019-004948
Trust: 0.8
db:CNNVDid:CNNVD-201905-1082
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            JVNDB: JVNDB-2019-004948 // 
            
            
            
            CNNVD: CNNVD-201905-1082 // 
            
            
            
            NVD: CVE-2019-11891

REFERENCES
url:https://psirt.bosch.com/advisory/bosch-sa-662084.html
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-11891
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11891
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            JVNDB: JVNDB-2019-004948 // 
            
            
            
            CNNVD: CNNVD-201905-1082 // 
            
            
            
            NVD: CVE-2019-11891

SOURCES
db:OTHERid: - 
db:JVNDBid:JVNDB-2019-004948
db:CNNVDid:CNNVD-201905-1082
db:NVDid:CVE-2019-11891

LAST UPDATE DATE
2025-01-30T20:23:52.204000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2019-004948date:2019-06-12T00:00:00
db:CNNVDid:CNNVD-201905-1082date:2020-10-09T00:00:00
db:NVDid:CVE-2019-11891date:2024-11-21T04:21:58.153

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2019-004948date:2019-06-12T00:00:00
db:CNNVDid:CNNVD-201905-1082date:2019-05-29T00:00:00
db:NVDid:CVE-2019-11891date:2019-05-29T20:29:00.207