Vulnerability Details : CVE-2019-11893
A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction.
Exploit prediction scoring system (EPSS) score for CVE-2019-11893
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 10 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-11893
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.9
|
MEDIUM | AV:A/AC:M/Au:S/C:P/I:P/A:P |
4.4
|
6.4
|
NIST |
|
5.5
|
MEDIUM | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
Robert Bosch GmbH |
|
8.0
|
HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.1
|
5.9
|
NIST |
CWE ids for CVE-2019-11893
-
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Assigned by: psirt@bosch.com (Secondary)
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11893
-
https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html
Multiple vulnerabilities in Bosch Smart Home ControllerVendor Advisory
Products affected by CVE-2019-11893
- cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*