Lucene search

HackeroneCVE-2024-22021

HistoryFeb 07, 2024 - 1:15 a.m.

CVE-2024-22021

2024-02-0701:15:08

hackerone

web.nvd.nist.gov

cve

cve-2024-22021

vulnerability

veeam

recovery orchestrator

nvd

information security

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

14.0%

JSON

Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.

Affected configurations

Nvd

Node

veeamavailability_orchestratorMatch4.0

veeamdisaster_recovery_orchestratorMatch5.0

veeamrecovery_orchestratorMatch6.0

VendorProductVersionCPE
veeamavailability_orchestrator4.0cpe:2.3:a:veeam:availability_orchestrator:4.0:*:*:*:*:*:*:*
veeamdisaster_recovery_orchestrator5.0cpe:2.3:a:veeam:disaster_recovery_orchestrator:5.0:*:*:*:*:*:*:*
veeamrecovery_orchestrator6.0cpe:2.3:a:veeam:recovery_orchestrator:6.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
veeam	availability_orchestrator	4.0	cpe:2.3:a:veeam:availability_orchestrator:4.0:::::::*
veeam	disaster_recovery_orchestrator	5.0	cpe:2.3:a:veeam:disaster_recovery_orchestrator:5.0:::::::*
veeam	recovery_orchestrator	6.0	cpe:2.3:a:veeam:recovery_orchestrator:6.0:::::::*

CNA Affected

[
  {
    "vendor": "Veeam",
    "product": "Recovery Orchestrator ",
    "versions": [
      {
        "version": "6",
        "status": "affected",
        "lessThan": "6",
        "versionType": "semver"
      }
    ]
  },
  {
    "vendor": "Veeam",
    "product": "Disaster Recovery Orchestrator",
    "versions": [
      {
        "version": "5",
        "status": "affected",
        "lessThan": "5",
        "versionType": "semver"
      }
    ]
  },
  {
    "vendor": "Veeam",
    "product": "Availability Orchestrator",
    "versions": [
      {
        "version": "4",
        "status": "affected",
        "lessThan": "4",
        "versionType": "semver"
      }
    ]
  },
  {
    "vendor": "Veeam",
    "product": "Recovery Orchestrator",
    "versions": [
      {
        "version": "7",
        "status": "unaffected",
        "lessThan": "7",
        "versionType": "semver"
      }
    ]
  }
]

References

veeam.com/kb4541

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

14.0%

JSON

Related for CVE-2024-22021