CVE-2022-47648 (GCVE-0-2022-47648)
Vulnerability from cvelistv5 – Published: 2023-02-08 00:00 – Updated: 2025-07-23 20:45
VLAI?
Summary
An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013).
Severity ?
7.6 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:02:36.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://pastebin.com/raw/0CGTpiEn"
},
{
"tags": [
"x_transferred"
],
"url": "https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-47648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T17:11:38.483730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:59:10.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "B420",
"vendor": "Bosch",
"versions": [
{
"status": "affected",
"version": "All Versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"orgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c"
},
"references": [
{
"name": "https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html",
"tags": [
"vendor-advisory"
],
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html"
},
{
"url": "https://pastebin.com/raw/0CGTpiEn"
},
{
"url": "https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "c95f66b2-7e7c-41c5-8f09-6f86ec68659c",
"assignerShortName": "bosch",
"cveId": "CVE-2022-47648",
"datePublished": "2023-02-08T00:00:00.000Z",
"dateReserved": "2022-12-21T00:00:00.000Z",
"dateUpdated": "2025-07-23T20:45:00.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:bosch:b420_firmware:02.02.0001:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9B7DA704-7E31-42CE-894A-7F1F14208E14\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:bosch:b420:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F84AE9E-DFCD-41BE-92B7-93501C756316\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013).\"}]",
"id": "CVE-2022-47648",
"lastModified": "2024-11-21T07:32:18.357",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@bosch.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\", \"baseScore\": 7.6, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2023-02-08T21:15:10.707",
"references": "[{\"url\": \"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\", \"source\": \"psirt@bosch.com\"}, {\"url\": \"https://pastebin.com/raw/0CGTpiEn\", \"source\": \"psirt@bosch.com\"}, {\"url\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"source\": \"psirt@bosch.com\"}, {\"url\": \"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pastebin.com/raw/0CGTpiEn\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "psirt@bosch.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@bosch.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-47648\",\"sourceIdentifier\":\"psirt@bosch.com\",\"published\":\"2023-02-08T21:15:10.707\",\"lastModified\":\"2024-11-21T07:32:18.357\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@bosch.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"psirt@bosch.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:bosch:b420_firmware:02.02.0001:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B7DA704-7E31-42CE-894A-7F1F14208E14\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:bosch:b420:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F84AE9E-DFCD-41BE-92B7-93501C756316\"}]}]}],\"references\":[{\"url\":\"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\",\"source\":\"psirt@bosch.com\"},{\"url\":\"https://pastebin.com/raw/0CGTpiEn\",\"source\":\"psirt@bosch.com\"},{\"url\":\"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\",\"source\":\"psirt@bosch.com\"},{\"url\":\"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://pastebin.com/raw/0CGTpiEn\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"name\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://pastebin.com/raw/0CGTpiEn\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T15:02:36.511Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-47648\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-31T17:11:38.483730Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T15:59:07.264Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Bosch\", \"product\": \"B420\", \"versions\": [{\"status\": \"affected\", \"version\": \"All Versions\"}]}], \"references\": [{\"url\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"name\": \"https://psirt.bosch.com/security-advisories/BOSCH-SA-341298-BT.html\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://pastebin.com/raw/0CGTpiEn\"}, {\"url\": \"https://drive.google.com/drive/folders/16jvVFyp9RlHvXvq7qbOCjCs1jiAPT3i_?usp=sharing\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Improper Access Control vulnerability allows an attacker to access the control panel of the B420 without requiring any sort of authorization or authentication due to the IP based authorization. If an authorized user has accessed a publicly available B420 product using valid credentials, an insider attacker can gain access to the same panel without requiring any sort of authorization. The B420 module was already obsolete at the time this vulnerability was found (The End of Life announcement was made in 2013).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"c95f66b2-7e7c-41c5-8f09-6f86ec68659c\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-47648\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-23T20:45:00.000Z\", \"dateReserved\": \"2022-12-21T00:00:00.000Z\", \"assignerOrgId\": \"c95f66b2-7e7c-41c5-8f09-6f86ec68659c\", \"datePublished\": \"2023-02-08T00:00:00.000Z\", \"assignerShortName\": \"bosch\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…