Sign-up

ID

VAR-201908-1625


CVE

CVE-2019-11897


TITLE

ProSyst mBS SDK and Bosch IoT Gateway Software Vulnerable to server-side request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-008636

DESCRIPTION

A Server-Side Request Forgery (SSRF) vulnerability in the backup & restore functionality in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.3.0 allows a remote attacker to forge GET requests to arbitrary URLs. In addition, this could potentially allow an attacker to read sensitive zip files from the local server. The vulnerability originates from improper design or implementation during code development of a network system or product

Trust: 2.25

sources: NVD: CVE-2019-11897 // JVNDB: JVNDB-2019-008636 // CNNVD: CNNVD-201908-1637 // VULHUB: VHN-143589

AFFECTED PRODUCTS

vendor:boschmodel:prosyst mbs sdkscope:ltversion:8.2.6

Trust: 1.0

vendor:boschmodel:iot gateway softwarescope:ltversion:9.3.0

Trust: 1.0

vendor:robert boschmodel:iot gateway softwarescope:ltversion:8.2.6

Trust: 0.8

vendor:robert boschmodel:prosyst mbs sdkscope:ltversion:9.3.0

Trust: 0.8

sources: JVNDB: JVNDB-2019-008636 // NVD: CVE-2019-11897

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11897
value: HIGH

Trust: 1.0

psirt@bosch.com: CVE-2019-11897
value: HIGH

Trust: 1.0

NVD: CVE-2019-11897
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201908-1637
value: HIGH

Trust: 0.6

VULHUB: VHN-143589
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-11897
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-143589
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11897
baseSeverity: HIGH
baseScore: 8.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 4.0
version: 3.0

Trust: 2.8

sources: VULHUB: VHN-143589 // JVNDB: JVNDB-2019-008636 // CNNVD: CNNVD-201908-1637 // NVD: CVE-2019-11897 // NVD: CVE-2019-11897

PROBLEMTYPE DATA

problemtype:CWE-918

Trust: 1.9

sources: VULHUB: VHN-143589 // JVNDB: JVNDB-2019-008636 // NVD: CVE-2019-11897

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1637

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201908-1637

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008636

PATCH
title:BOSCH-SA-562575url:https://psirt.bosch.com/Advisory/BOSCH-SA-562575.html
Trust: 0.8
title:ProSyst mBS SDK  and Bosch IoT Gateway Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97255
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-008636 // 
            
            
            
            CNNVD: CNNVD-201908-1637

EXTERNAL IDS
db:NVDid:CVE-2019-11897
Trust: 2.5
db:JVNDBid:JVNDB-2019-008636
Trust: 0.8
db:CNNVDid:CNNVD-201908-1637
Trust: 0.7
db:VULHUBid:VHN-143589
Trust: 0.1
sources:
            
            
            VULHUB: VHN-143589 // 
            
            
            
            JVNDB: JVNDB-2019-008636 // 
            
            
            
            CNNVD: CNNVD-201908-1637 // 
            
            
            
            NVD: CVE-2019-11897

REFERENCES
url:https://psirt.bosch.com/advisory/bosch-sa-562575.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-11897
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11897
Trust: 0.8
sources:
            
            
            VULHUB: VHN-143589 // 
            
            
            
            JVNDB: JVNDB-2019-008636 // 
            
            
            
            CNNVD: CNNVD-201908-1637 // 
            
            
            
            NVD: CVE-2019-11897

SOURCES
db:VULHUBid:VHN-143589
db:JVNDBid:JVNDB-2019-008636
db:CNNVDid:CNNVD-201908-1637
db:NVDid:CVE-2019-11897

LAST UPDATE DATE
2024-11-23T22:44:54.578000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-143589date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-008636date:2019-09-04T00:00:00
db:CNNVDid:CNNVD-201908-1637date:2019-09-05T00:00:00
db:NVDid:CVE-2019-11897date:2024-11-21T04:21:58.873

SOURCES RELEASE DATE
db:VULHUBid:VHN-143589date:2019-08-21T00:00:00
db:JVNDBid:JVNDB-2019-008636date:2019-09-04T00:00:00
db:CNNVDid:CNNVD-201908-1637date:2019-08-21T00:00:00
db:NVDid:CVE-2019-11897date:2019-08-21T18:15:13.273