CVE-2020-6770

Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
boschCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
boschbosch_video_management_system_mobile_video_service
𝑥
≤ 7.5
boschbosch_video_management_system_mobile_video_service
8.0 ≤
𝑥
≤ 8.0.0.329
boschbosch_video_management_system_mobile_video_service
9.0 ≤
𝑥
≤ 9.0.0.827
boschbosch_video_management_system_mobile_video_service
10.0 ≤
𝑥
≤ 10.0.0.1225
boschdivar_ip_3000_firmware
-
boschdivar_ip_7000_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://psirt.bosch.com/security-advisories/BOSCH-SA-885551-BT.html
https://psirt.bosch.com/security-advisories/BOSCH-SA-885551-BT.html