Path Traversal in Bosch Video Management System NoTouch deployment

Published

2020-01-29 00:00:00 UTC

Summary

BOSCH-SA-815013-BT: A path traversal vulnerability exists in the BVMS NoTouch deployment. If this vulnerability is exploited an unauthenticated attacker without local shell access to a BVMS Central Server system is able to fetch arbitrary data from the file system of the Central Server computer. Under specific circumstances an attack can also be executed from the internet. Bosch rates this vulnerability with a CVSS v3.1 Base Score of 8.6 (High) and strongly recommends customers to update vulnerable components with fixed software versions. The vulnerability was found during internal security tests.