Incorrect Privilege Assignment

CVE-2019-11893

High

8/10

Summary

A potential incorrect privilege assignment vulnerability exists in the app permission update API of the Bosch Smart Home Controller (SHC) before 9.8.905 that may result in a restricted app obtaining default app permissions. In order to exploit the vulnerability, the adversary needs to have successfully paired an app with restricted permissions, which required user interaction.

Attack Complexity: LOW
Attack Vector: ADJACENT_NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-266 - Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

Advisory Timeline

Published May 29, 2019

Incorrect Privilege Assignment

CVE-2019-11893

Summary

CWE-266 - Incorrect Privilege Assignment

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS