A path traversal vulnerability in the Bosch Video Management System (BVMS) NoTouch deployment allows an unauthenticated remote attacker to read arbitrary files from the Central Server. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch BVMS Viewer versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000, DIVAR IP 7000 and DIVAR IP all-in-one 5000 if a vulnerable BVMS version is installed.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N
Vendors Products
Bosch
  • Video Management System
  • Video Management System Viewer
  • Divar Ip All-in-one 5000
  • Divar Ip 3000
  • Divar Ip 7000

Configuration 1 [-]

OR cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND
OR cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_3000:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
OR cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
OR cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:*:*:*:*:*:*:*
References
Link Resource
https://psirt.bosch.com/security-advisories/bosch-sa-815013-bt.html Patch Vendor Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: bosch

Published: 2020-01-29T00:00:00

Updated: 2020-02-07T20:01:21

Reserved: 2020-01-10T00:00:00

Link: CVE-2020-6768

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2020-02-07T21:15:10.653

Modified: 2020-02-12T19:43:52.900

Link: CVE-2020-6768

JSON object: View

cve-icon Redhat Information

No data.

CWE