Sign-up

ID

VAR-202106-1407


CVE

CVE-2021-23847


TITLE

Bosch IP  Vulnerability regarding lack of authentication for important functions in cameras

Trust: 0.8

sources: JVNDB: JVNDB-2021-008249

DESCRIPTION

A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 2.16

sources: NVD: CVE-2021-23847 // JVNDB: JVNDB-2021-008249 // CNNVD: CNNVD-202104-975

IOT TAXONOMY

category:['camera device']sub_category:IP camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:boschmodel:cpp7.3scope:gteversion:7.80

Trust: 1.0

vendor:boschmodel:cpp7.3scope:eqversion:7.72

Trust: 1.0

vendor:boschmodel:cpp7scope:eqversion:7.72

Trust: 1.0

vendor:boschmodel:cpp7scope:gteversion:7.80

Trust: 1.0

vendor:boschmodel:cpp6scope:gteversion:7.80

Trust: 1.0

vendor:boschmodel:cpp6scope:eqversion:7.72

Trust: 1.0

vendor:boschmodel:cpp7.3scope:eqversion:7.70

Trust: 1.0

vendor:boschmodel:cpp6scope:ltversion:7.80.0129

Trust: 1.0

vendor:boschmodel:cpp7scope:eqversion:7.70

Trust: 1.0

vendor:boschmodel:cpp6scope:eqversion:7.70

Trust: 1.0

vendor:boschmodel:cpp7.3scope:ltversion:7.80.0129

Trust: 1.0

vendor:boschmodel:cpp7scope:ltversion:7.80.0129

Trust: 1.0

vendor:robert boschmodel:cpp6scope: - version: -

Trust: 0.8

vendor:robert boschmodel:cpp7.3scope: - version: -

Trust: 0.8

vendor:robert boschmodel:cpp7scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-008249 // NVD: CVE-2021-23847

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23847
value: CRITICAL

Trust: 1.0

psirt@bosch.com: CVE-2021-23847
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-23847
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-738
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2021-23847
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2021-23847
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 1.0

psirt@bosch.com: CVE-2021-23847
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-23847
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-008249 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-738 // NVD: CVE-2021-23847 // NVD: CVE-2021-23847

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.0

problemtype:CWE-287

Trust: 1.0

problemtype:Lack of authentication for important features (CWE-306) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-008249 // NVD: CVE-2021-23847

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-738

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:BOSCH-SA-478243-BTurl:https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html

Trust: 0.8

title:Bosch IP cameras Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=154905

Trust: 0.6

sources: JVNDB: JVNDB-2021-008249 // CNNVD: CNNVD-202106-738

EXTERNAL IDS

db:NVDid:CVE-2021-23847

Trust: 3.3

db:JVNDBid:JVNDB-2021-008249

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021070714

Trust: 0.6

db:CNNVDid:CNNVD-202106-738

Trust: 0.6

db:OTHERid:NONE

Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-008249 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-738 // NVD: CVE-2021-23847

REFERENCES

url:https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html

Trust: 1.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-23847

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021070714

Trust: 0.6

url:https://ieeexplore.ieee.org/abstract/document/10769424

Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2021-008249 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-738 // NVD: CVE-2021-23847

SOURCES

db:OTHERid: -
db:JVNDBid:JVNDB-2021-008249
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-738
db:NVDid:CVE-2021-23847

LAST UPDATE DATE

2025-01-30T20:15:48.419000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2021-008249date:2022-03-09T09:04:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-738date:2021-07-08T00:00:00
db:NVDid:CVE-2021-23847date:2021-06-22T13:36:37.013

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2021-008249date:2022-03-09T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-738date:2021-06-09T00:00:00
db:NVDid:CVE-2021-23847date:2021-06-09T15:15:08.187