Strix
26.1K

CVE-2019-11684

CRITICALCVSS 9.8/10EPSS 0.99%

Last modified

CVE-2019-11684 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. EPSS estimates a 0.99% chance of exploitation in the next 30 days.

Description

Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. Prior releases of VRM software version 3.70 are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.99%

58.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
BoschVideo Recording Manager>= 3.70, < 3.71.0034
BoschVideo Recording Manager>= 3.81, < 3.81.0050
BoschDivar Ip 5000 Firmware>= 3.80, < 3.80.0039
BoschVideo Management System3.70.0056
BoschVideo Management System3.70.0058
BoschVideo Management System3.70.0060
BoschVideo Management System3.70.0062
BoschVideo Management System3.71.0022
BoschVideo Management System3.71.0029
BoschVideo Management System3.71.0031
BoschVideo Management System3.71.0032
BoschVideo Management System3.81.0032
BoschVideo Management System3.81.0038
BoschVideo Management System3.81.0048

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-11684?
Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. Prior releases of VRM software version 3.70 are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM.
How severe is CVE-2019-11684?
CVE-2019-11684 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.99% probability of exploitation in the next 30 days.
How do I fix CVE-2019-11684?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11684?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST