Server-side request forgery in the backup & restore functionality of ProSyst mBS SDK and Bosch IoT Gateway Software
CVE-2019-11897

8.6HIGH

Key Information:

Vendor: Bosch
Status: Iot Gateway Software; Mbs Sdk
Vendor: CVE Published:; 21 August 2019

What is CVE-2019-11897?

A Server-Side Request Forgery (SSRF) vulnerability in the backup & restore functionality in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.3.0 allows a remote attacker to forge GET requests to arbitrary URLs. In addition, this could potentially allow an attacker to read sensitive zip files from the local server.

Affected Version(s)

IoT Gateway Software < 9.3.0

mBS SDK < 8.2.6

References

https://psirt.bosch.com/Advisory/BOSCH-SA-562575.html

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

CVSS V3.0

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2019
Vulnerability Reserved
May 13, 2019

Credit

Philip Kazmeier

CVE-2019-11897 Data

JSON