Vulners
Lucene search
Vinchin Backup And Recovery 7.2 Default MySQL Credentials
🗓️ 26 Jan 2024 00:00:00Reported by Valentin LobsteinType 
packetstorm🔗 packetstormsecurity.com👁 423 Views
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | CVE-2022-35866 | 3 Aug 202216:15 | – | attackerkb |
 | The vulnerability of the Vinchin Backup & Recovery software for backup and restoration operations, related to the use of default user accounts, allows a perpetrator to escalate their privileges. | 15 Feb 202400:00 | – | bdu_fstec |
 | CVE-2022-35866 | 3 Aug 202220:18 | – | circl |
| CVE-2024-22901 | 2 Feb 202403:22 | – | circl |
 | Vinchin Backup and Recovery 信任管理问题漏洞 | 3 Aug 202200:00 | – | cnnvd |
| Vinchin Backup and Recovery Operating System Command Injection Vulnerability | 27 Jan 202400:00 | – | cnnvd |
 | CVE-2022-35866 | 3 Aug 202200:00 | – | cve |
| CVE-2024-22901 | 2 Feb 202400:00 | – | cve |
 | CVE-2022-35866 | 3 Aug 202200:00 | – | cvelist |
| CVE-2024-22901 | 2 Feb 202400:00 | – | cvelist |
10
`CVE ID: CVE-2024-22901
Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2
Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup & Recovery version 7.2. The software has been found to use default MYSQL credentials, which could lead to significant security risks.
Additional Information:
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched the reported vulnerabilities. The presence of these unresolved issues, now compounded by the newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a product that is certified in cybersecurity and poses a considerable risk to its users.
Vulnerability Type:
Incorrect Access Control
Vendor of Product:
Vinchin
Affected Product Code Base:
Vinchin Backup & Recovery - Version 7.2
Affected Component:
The MySQL database used by Vinchin Backup & Recovery
Attack Type:
Remote
Impact - Escalation of Privileges:
True
Attack Vectors:
The vulnerability can be exploited via local or remote access, utilizing the unpatched default MySQL credentials.
Discoverer:
Valentin Lobstein
Reference:
http://vinchin.com
Conclusion:
The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's security posture. Users are advised to be cautious and to monitor for any updates or patches from Vinchin, which should be applied immediately to mitigate this risk.
Signed,Valentin Lobstein
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jan 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
CVSS 39.8
EPSS0.03051
SSVC