CVE-2023-35867

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-35867
An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. To exploit this vulnerability an attacker has to replace an existing API server e.g. through Man-in-the-Middle attacks.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html Vendor Advisory
https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:bosch:building_integration_system_video_engine:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:bosch:configuration_manager:*:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_4000:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_6000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000_r3:-:*:*:*:*:*:*:*

Configuration 11 (hide)

cpe:2.3:a:bosch:intelligent_insights:*:*:*:*:*:*:*:*

Configuration 12 (hide)

cpe:2.3:a:bosch:_onvif_camera_event_driver_tool:*:*:*:*:*:*:*:*

Configuration 13 (hide)

cpe:2.3:a:bosch:project_assistant:*:*:*:*:*:*:*:*

Configuration 14 (hide)

cpe:2.3:a:bosch:video_security_client:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:08

Type Values Removed Values Added
References () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - Vendor Advisory () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - Vendor Advisory

22 Dec 2023, 20:13

Type Values Removed Values Added
References () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - () https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html - Vendor Advisory
First Time Bosch video Management System Viewer
Bosch divar Ip All-in-one 4000
Bosch divar Ip All-in-one 6000 Firmware
Bosch divar Ip All-in-one 7000
Bosch divar Ip All-in-one 6000
Bosch divar Ip All-in-one 5000 Firmware
Bosch building Integration System Video Engine
Bosch Onvif Camera Event Driver Tool
Bosch bosch Video Management System
Bosch intelligent Insights
Bosch
Bosch configuration Manager
Bosch divar Ip All-in-one 5000
Bosch divar Ip 7000 R2 Firmware
Bosch divar Ip All-in-one 7000 R3 Firmware
Bosch divar Ip All-in-one 7000 R3
Bosch divar Ip All-in-one 4000 Firmware
Bosch video Security Client
Bosch divar Ip 7000 R2
Bosch divar Ip All-in-one 7000 Firmware
Bosch project Assistant
CWE NVD-CWE-Other
CPE cpe:2.3:h:bosch:divar_ip_all-in-one_4000:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_6000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_6000:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:project_assistant:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:video_security_client:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000:-:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_7000_r3:-:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_all-in-one_5000:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:configuration_manager:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_4000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:building_integration_system_video_engine:*:*:*:*:*:*:*:*
cpe:2.3:h:bosch:divar_ip_7000_r2:-:*:*:*:*:*:*:*
cpe:2.3:a:bosch:_onvif_camera_event_driver_tool:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_r3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:bosch:divar_ip_all-in-one_5000_firmware:*:*:*:*:*:*:*:*
cpe:2.3:a:bosch:intelligent_insights:*:*:*:*:*:*:*:*
Summary
  • (es) Un manejo inadecuado de paquetes de respuesta API con formato incorrecto para clientes API en productos de software Bosch BT puede permitir que un atacante no autenticado provoque una situación de denegación de servicio (DoS). Para aprovechar esta vulnerabilidad, un atacante debe reemplazar un servidor API existente, por ejemplo mediante ataques Man-in-the-Middle.

18 Dec 2023, 14:05

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-18 13:15

Updated : 2024-11-21 08:08

NVD link : CVE-2023-35867

Mitre link : CVE-2023-35867

CVE.ORG link : CVE-2023-35867

JSON object : View

Products Affected

bosch

  • building_integration_system_video_engine
  • video_management_system_viewer
  • divar_ip_7000_r2
  • divar_ip_all-in-one_7000_firmware
  • divar_ip_7000_r2_firmware
  • divar_ip_all-in-one_6000
  • divar_ip_all-in-one_7000_r3
  • divar_ip_all-in-one_5000_firmware
  • divar_ip_all-in-one_4000
  • divar_ip_all-in-one_7000_r3_firmware
  • project_assistant
  • divar_ip_all-in-one_4000_firmware
  • bosch_video_management_system
  • _onvif_camera_event_driver_tool
  • configuration_manager
  • intelligent_insights
  • divar_ip_all-in-one_7000
  • divar_ip_all-in-one_6000_firmware
  • divar_ip_all-in-one_5000
  • video_security_client
CWE
CWE-703

Improper Check or Handling of Exceptional Conditions

NVD-CWE-Other