CVE-2021-23859: Denial of Service and Authentication Bypass Vulnerability in multiple Bosch products
First published: Wed Dec 08 2021(Updated: )
An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859
Credit: psirt@bosch.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bosch Bosch Video Management System | <=9.0 | |
| Bosch Bosch Video Management System | >=10.0<10.0.2 | |
| Bosch Bosch Video Management System | =10.1 | |
| Bosch Bosch Video Management System | =11.0 | |
| Bosch Video Recording Manager | <=3.81 | |
| Bosch Video Recording Manager | >=3.82<=3.82.0057 | |
| Bosch Video Recording Manager | >=3.83<=3.83.0021 | |
| Bosch Video Recording Manager | >=4.0<=4.00.0070 | |
| Bosch Divar Ip 5000 Firmware | ||
| Bosch Divar Ip 7000 Firmware | ||
| Bosch Access Easy Controller Firmware | <=2.9.1.0 | |
| Bosch Access Easy Controller | ||
| Bosch Access Professional Edition | <=3.8.0 | |
| Bosch Building Integration System | <=4.9 | |
| Bosch Video Recording Manager Exporter | >=2.1<=2.10.0008 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-23859?
CVE-2021-23859 is a vulnerability that allows an unauthenticated attacker to send a special HTTP request that causes a service to crash.
How does CVE-2021-23859 affect Bosch Bosch Video Management System?
CVE-2021-23859 affects Bosch Bosch Video Management System versions up to 9.0, as well as versions from 10.0 to 10.0.2, 10.1, and 11.0.
How does CVE-2021-23859 affect Bosch Video Recording Manager?
CVE-2021-23859 affects Bosch Video Recording Manager versions up to 3.81, as well as versions from 3.82 to 3.82.0057, 3.83 to 3.83.0021, and 4.0 to 4.00.0070.
What is the severity of CVE-2021-23859?
The severity of CVE-2021-23859 is critical, with a CVSS score of 7.5.
How can I fix CVE-2021-23859?
To fix CVE-2021-23859, it is recommended to upgrade to the latest version of the affected software when available or apply any patches or security updates provided by the vendor.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/title
- agent/last-modified-date
- agent/author
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- vendor/bosch
- canonical/bosch bosch video management system
- version/bosch bosch video management system/9.0
- version/bosch bosch video management system/10.0
- version/bosch bosch video management system/10.1
- version/bosch bosch video management system/11.0
- canonical/bosch video recording manager
- version/bosch video recording manager/3.81
- version/bosch video recording manager/3.82
- version/bosch video recording manager/3.82.0057
- version/bosch video recording manager/3.83
- version/bosch video recording manager/3.83.0021
- version/bosch video recording manager/4.0
- version/bosch video recording manager/4.00.0070
- canonical/bosch divar ip 5000 firmware
- canonical/bosch divar ip 7000 firmware
- canonical/bosch access easy controller firmware
- version/bosch access easy controller firmware/2.9.1.0
- canonical/bosch access easy controller
- canonical/bosch access professional edition
- version/bosch access professional edition/3.8.0
- canonical/bosch building integration system
- version/bosch building integration system/4.9
- canonical/bosch video recording manager exporter
- version/bosch video recording manager exporter/2.1
- version/bosch video recording manager exporter/2.10.0008