CVE-2023-35867 : An improper handling of a malformed API answer packets to API clients in Bosch B

An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. To exploit this vulnerability an attacker has to replace an existing API server e.g. through Man-in-the-Middle attacks.

Published 2023-12-18 13:15:07

Updated 2023-12-22 20:13:41

Source Robert Bosch GmbH

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-35867

Bosch » Bosch Video Management System
Versions up to, including, (<=) 12.0
cpe:2.3:a:bosch:bosch_video_management_system:*:*:*:*:*:*:*:*
Matching versions
Bosch » Configuration Manager
Versions up to, including, (<=) 7.62
cpe:2.3:a:bosch:configuration_manager:*:*:*:*:*:*:*:*
Matching versions
Bosch » Video Management System Viewer
Versions up to, including, (<=) 12.0
cpe:2.3:a:bosch:video_management_system_viewer:*:*:*:*:*:*:*:*
Matching versions
Bosch » Divar Ip 7000 R2 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_7000_r2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip 7000 R2 » Version: N/A
Bosch » Building Integration System Video Engine
Versions up to, including, (<=) 5.0.1
cpe:2.3:a:bosch:building_integration_system_video_engine:*:*:*:*:*:*:*:*
Matching versions
Bosch » Divar Ip All-in-one 4000 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_all-in-one_4000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip All-in-one 4000 » Version: N/A
Bosch » Divar Ip All-in-one 5000 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_all-in-one_5000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip All-in-one 5000 » Version: N/A
Bosch » Divar Ip All-in-one 6000 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_all-in-one_6000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip All-in-one 6000 » Version: N/A
Bosch » Divar Ip All-in-one 7000 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip All-in-one 7000 » Version: N/A
Bosch » Divar Ip All-in-one 7000 R3 Firmware
Versions up to, including, (<=) 12.0
cpe:2.3:o:bosch:divar_ip_all-in-one_7000_r3_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Bosch » Divar Ip All-in-one 7000 R3 » Version: N/A
Bosch » Intelligent Insights
Versions up to, including, (<=) 1.0.3.14
cpe:2.3:a:bosch:intelligent_insights:*:*:*:*:*:*:*:*
Matching versions
Bosch » Onvif Camera Event Driver Tool
Versions up to, including, (<=) 2.0.0.8
cpe:2.3:a:bosch:_onvif_camera_event_driver_tool:*:*:*:*:*:*:*:*
Matching versions
Bosch » Project Assistant
Versions up to, including, (<=) 2.3
cpe:2.3:a:bosch:project_assistant:*:*:*:*:*:*:*:*
Matching versions
Bosch » Video Security Client
Versions up to, including, (<=) 3.3.5
cpe:2.3:a:bosch:video_security_client:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-35867

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 36 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-35867

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	Robert Bosch GmbH
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-35867

CWE-703 Improper Check or Handling of Exceptional Conditions

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Assigned by: psirt@bosch.com (Secondary)

References for CVE-2023-35867

https://psirt.bosch.com/security-advisories/BOSCH-SA-092656-BT.html

Denial of Service vulnerability in Bosch BT software products | Bosch PSIRT
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-35867

Products affected by CVE-2023-35867

Exploit prediction scoring system (EPSS) score for CVE-2023-35867

CVSS scores for CVE-2023-35867

CWE ids for CVE-2023-35867

References for CVE-2023-35867