Details of VAR-201908-1877

ID

VAR-201908-1877

CVE

CVE-2019-11601

TITLE

ProSyst mBS SDK and Bosch IoT Gateway Software Path traversal vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008443

DESCRIPTION

A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location. ProSyst Softoware mBS SDK is a software development kit for OSGi application development by German ProSyst Softoware company. The vulnerability stems from a network system or product's failure to properly filter special elements in a resource or file path. An attacker could use this vulnerability to access locations outside the restricted directory

Trust: 2.25

sources: NVD: CVE-2019-11601 // JVNDB: JVNDB-2019-008443 // CNNVD: CNNVD-201908-1729 // VULHUB: VHN-143264

IOT TAXONOMY

category:

['network device']

sub_category:

gateway

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	bosch	model:	prosyst mbs sdk	scope:	lt	version:	8.2.6	Trust: 1.0
vendor:	bosch	model:	iot gateway software	scope:	lt	version:	9.2.0	Trust: 1.0
vendor:	robert bosch	model:	iot gateway software	scope:	eq	version:	9.2.0	Trust: 0.8
vendor:	robert bosch	model:	prosyst mbs sdk	scope:	eq	version:	8.2.6	Trust: 0.8

sources: JVNDB: JVNDB-2019-008443 // NVD: CVE-2019-11601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-11601
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2019-11601
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-11601
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201908-1729
value:	HIGH
Trust: 0.6
VULHUB:	VHN-143264
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-11601
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-143264
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-11601
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2019-11601
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.0
Trust: 1.0
NVD:	CVE-2019-11601
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-143264 // JVNDB: JVNDB-2019-008443 // CNNVD: CNNVD-201908-1729 // NVD: CVE-2019-11601 // NVD: CVE-2019-11601

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-143264 // JVNDB: JVNDB-2019-008443 // NVD: CVE-2019-11601

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1729

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201908-1729

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008443

PATCH

title:	BOSCH-SA-562575	url:	https://psirt.bosch.com/Advisory/BOSCH-SA-562575.html	Trust: 0.8
title:	ProSyst Softoware mBS SDK and Bosch IoT Gateway Software Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=97317	Trust: 0.6

sources: JVNDB: JVNDB-2019-008443 // CNNVD: CNNVD-201908-1729

EXTERNAL IDS

db:	NVD	id:	CVE-2019-11601	Trust: 2.6
db:	JVNDB	id:	JVNDB-2019-008443	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-1729	Trust: 0.7
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULHUB	id:	VHN-143264	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-143264 // JVNDB: JVNDB-2019-008443 // CNNVD: CNNVD-201908-1729 // NVD: CVE-2019-11601

REFERENCES

url:	https://psirt.bosch.com/advisory/bosch-sa-562575.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11601	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11601	Trust: 0.8
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-143264 // JVNDB: JVNDB-2019-008443 // CNNVD: CNNVD-201908-1729 // NVD: CVE-2019-11601

SOURCES

db:	OTHER	id:	-
db:	VULHUB	id:	VHN-143264
db:	JVNDB	id:	JVNDB-2019-008443
db:	CNNVD	id:	CNNVD-201908-1729
db:	NVD	id:	CVE-2019-11601

LAST UPDATE DATE

2025-01-30T22:37:54.340000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-143264	date:	2023-02-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-008443	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1729	date:	2019-09-05T00:00:00
db:	NVD	id:	CVE-2019-11601	date:	2024-11-21T04:21:25.640

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-143264	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008443	date:	2019-08-30T00:00:00
db:	CNNVD	id:	CNNVD-201908-1729	date:	2019-08-21T00:00:00
db:	NVD	id:	CVE-2019-11601	date:	2019-08-21T20:15:12.447