{"containers": {"cna": {"affected": [{"product": "Smart Home Controller", "vendor": "Bosch", "versions": [{"lessThan": "9.8.905", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Philip Kazmeier"}], "datePublic": "2019-05-29T00:00:00", "descriptions": [{"lang": "en", "value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-05-29T19:40:01", "orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c", "shortName": "bosch"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Incorrect privilege assignment in the app pairing mechanism of the Bosch Smart Home Controller (SHC)", "x_generator": {"engine": "Vulnogram 0.0.6"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@bosch.com", "DATE_PUBLIC": "2019-05-29T12:00:00.000Z", "ID": "CVE-2019-11891", "STATE": "PUBLIC", "TITLE": "Incorrect privilege assignment in the app pairing mechanism of the Bosch Smart Home Controller (SHC)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Smart Home Controller", "version": {"version_data": [{"version_affected": "<", "version_value": "9.8.905"}]}}]}, "vendor_name": "Bosch"}]}}, "credit": [{"lang": "eng", "value": "Philip Kazmeier"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."}]}, "generator": {"engine": "Vulnogram 0.0.6"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-266 Incorrect Privilege Assignment"}]}]}, "references": {"reference_data": [{"name": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html", "refsource": "CONFIRM", "url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:10:29.575Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"}]}]}, "cveMetadata": {"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c", "assignerShortName": "bosch", "cveId": "CVE-2019-11891", "datePublished": "2019-05-29T19:40:01.253370Z", "dateReserved": "2019-05-13T00:00:00", "dateUpdated": "2024-09-16T18:13:51.172Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:bosch:smart_home_controller_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "208D1A1D-4982-457F-A29B-0BE857355DC5", "versionEndExcluding": "9.8.905", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:bosch:smart_home_controller:-:*:*:*:*:*:*:*", "matchCriteriaId": "83665608-FC8C-4C92-9DAD-A025433DDD33", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in elevated privileges of the adversary's choosing. In order to exploit the vulnerability, the adversary needs physical access to the SHC during the attack."}, {"lang": "es", "value": "Existe una vulnerabilidad potencial  de asignaci\u00f3n de privilegios de asignaci\u00f3n de privilegios incorrrecta en el  mecanismo de emparajamiento de las aplicaciones del controlador Bosch Smart Home (SHC) anteriores a 9.8.905 que puede conllevar a privilegios elevados de la elecci\u00f3n del adversario. Para aprovechar la vulnerabilidad el adversario neceista acceso f\u00edsico al SHC durante el ataque."}], "id": "CVE-2019-11891", "lastModified": "2024-11-21T04:21:58.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "psirt@bosch.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-29T20:29:00.207", "references": [{"source": "psirt@bosch.com", "tags": ["Vendor Advisory"], "url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://psirt.bosch.com/Advisory/BOSCH-SA-662084.html"}], "sourceIdentifier": "psirt@bosch.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "psirt@bosch.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}