CVE-2023-38547

2023-11-0706:17:31

hackerone

www.cve.org

vulnerability

veeam one

unauthorized access

sql server

remote code execution

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.3%

JSON

A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "vendor": "Veeam",
    "product": "One",
    "versions": [
      {
        "version": "11",
        "status": "affected",
        "lessThanOrEqual": "11",
        "versionType": "semver"
      },
      {
        "version": "11a",
        "status": "affected",
        "lessThanOrEqual": "11a",
        "versionType": "semver"
      },
      {
        "version": "12",
        "status": "affected",
        "lessThanOrEqual": "12",
        "versionType": "semver"
      }
    ]
  }
]