Smart Home Controller Firmware
CVE-2019-11896
HIGH
Severity by source
AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction.
AnalysisAI
A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app. Rated high severity (CVSS 7.1), this vulnerability is no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-284. A potential incorrect privilege assignment vulnerability exists in the 3rd party pairing mechanism of the Bosch Smart Home Controller (SHC) before 9.8.907 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app, which requires user interaction. Affected products include: Bosch Smart Home Controller Firmware. Version information: before 9.8.907.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (S
A potential incorrect privilege assignment vulnerability exists in the app pairing mechanism of the Bosch Smart Home Con
A potential improper access control vulnerability exists in the backup mechanism of the Bosch Smart Home Controller (SHC
A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller (S
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today