A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result in unauthorized access, enabling the user to call privileged methods and initiate critical services. The issue arises due to insufficient permission requirements on the method, allowing users with low privileges to perform actions that should require higher-level permissions.
References
History

Wed, 04 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Veeam
Veeam backup And Replication
Weaknesses CWE-306
CPEs cpe:2.3:a:veeam:backup_and_replication:*:*:*:*:*:*:*:*
Vendors & Products Veeam
Veeam backup And Replication
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 04 Dec 2024 01:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result in unauthorized access, enabling the user to call privileged methods and initiate critical services. The issue arises due to insufficient permission requirements on the method, allowing users with low privileges to perform actions that should require higher-level permissions.
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-12-04T01:06:04.627Z

Updated: 2024-12-04T16:48:57.686Z

Reserved: 2024-08-02T01:04:07.985Z

Link: CVE-2024-42456

cve-icon Vulnrichment

Updated: 2024-12-04T16:48:00.626Z

cve-icon NVD

Status : Received

Published: 2024-12-04T02:15:05.033

Modified: 2024-12-04T17:15:14.233

Link: CVE-2024-42456

cve-icon Redhat

No data.