CVE-2022-32534 : The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 and earlier was found to be vulnerable to command inj

The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 and earlier was found to be vulnerable to command injection through its diagnostics web interface. This allows execution of shell commands.

Published 2022-06-23 17:15:14

Updated 2023-06-29 14:24:10

Source Robert Bosch GmbH

View at NVD, CVE.org

Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2022-32534

Probability of exploitation activity in the next 30 days: 0.19%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 57 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-32534

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	Robert Bosch GmbH
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-32534

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: psirt@bosch.com (Secondary)
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-32534

https://psirt.bosch.com/security-advisories/BOSCH-SA-247052-BT.html

Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch | Bosch PSIRT
Vendor Advisory

CVEs referencing this url

Products affected by CVE-2022-32534

Bosch » Pra-es8p2s Firmware
Versions up to, including, (<=) 1.01.05
cpe:2.3:o:bosch:pra-es8p2s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Pra-es8p2s » Version: N/A

Vulnerability Details : CVE-2022-32534

Exploit prediction scoring system (EPSS) score for CVE-2022-32534

CVSS scores for CVE-2022-32534

CWE ids for CVE-2022-32534

References for CVE-2022-32534

Products affected by CVE-2022-32534