CVE-2022-35866

2022-08-0316:15:08

CWE-798

[email protected]

web.nvd.nist.gov

vulnerability

vinchin backup and recovery

authentication bypass

mysql

cve-2022-35866

zdi-can-17139

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.5%

JSON

This vulnerability allows remote attackers to bypass authentication on affected installations of Vinchin Backup and Recovery 6.5.0.17561. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MySQL server. The server uses a hard-coded password for the administrator user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17139.

Affected configurations

Vulners

NVD

Node

vinchinvinchin_backup_and_recoveryRange≤6.5.0.17561

CPENameOperatorVersion
vinchin:vinchin_backup_and_recoveryvinchin vinchin backup and recoveryeq6.5.0.17561

CPE	Name	Operator	Version
vinchin:vinchin_backup_and_recovery	vinchin vinchin backup and recovery	eq	6.5.0.17561

CNA Affected

[
  {
    "vendor": "Vinchin",
    "product": "Backup and Recovery",
    "versions": [
      {
        "version": "6.5.0.17561",
        "status": "affected"
      }
    ]
  }
]