Lucene search

[email protected]CVE-2022-26500

HistoryMar 17, 2022 - 9:15 p.m.

CVE-2022-26500

2022-03-1721:15:00

CWE-22

[email protected]

web.nvd.nist.gov

1080

In Wild

cve-2022-26500

veeam backup & replication

path limitation

remote authentication

arbitrary code execution

api security

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.053 Low

EPSS

Percentile

93.0%

JSON

Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.

CPENameOperatorVersion
veeam:backup_\&_replicationveeam backup \& replicationeq9.5.4.2615
veeam:backup_\&_replicationveeam backup \& replicationeq9.5.0.1536
veeam:backup_\&_replicationveeam backup \& replicationeq11.0.1.1261
veeam:backup_\&_replicationveeam backup \& replicationeq10.0.1.4854

CPE	Name	Operator	Version
veeam:backup_\&_replication	veeam backup \& replication	eq	9.5.4.2615
veeam:backup_\&_replication	veeam backup \& replication	eq	9.5.0.1536
veeam:backup_\&_replication	veeam backup \& replication	eq	11.0.1.1261
veeam:backup_\&_replication	veeam backup \& replication	eq	10.0.1.4854