CVE-2023-38547

2023-11-0707:15:07

[email protected]

web.nvd.nist.gov

1221

cve-2023-38547

veeam one

vulnerability

unauthenticated user

sql server

remote code execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.3%

JSON

A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

Affected configurations

NVD

Node

veeamoneMatch11.0.0.1379

veeamoneMatch11.0.1.1880

veeamoneMatch12.0.0.2498

veeamoneMatch12.0.1.2591

CPENameOperatorVersion
veeam:oneveeam oneeq11.0.0.1379
veeam:oneveeam oneeq11.0.1.1880
veeam:oneveeam oneeq12.0.0.2498
veeam:oneveeam oneeq12.0.1.2591

CPE	Name	Operator	Version
veeam:one	veeam one	eq	11.0.0.1379
veeam:one	veeam one	eq	11.0.1.1880
veeam:one	veeam one	eq	12.0.0.2498
veeam:one	veeam one	eq	12.0.1.2591

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Veeam",
    "product": "One",
    "versions": [
      {
        "version": "11",
        "status": "affected",
        "lessThanOrEqual": "11",
        "versionType": "semver"
      },
      {
        "version": "11a",
        "status": "affected",
        "lessThanOrEqual": "11a",
        "versionType": "semver"
      },
      {
        "version": "12",
        "status": "affected",
        "lessThanOrEqual": "12",
        "versionType": "semver"
      }
    ]
  }
]