CVE-2024-29849 : Veeam Backup Enterprise Manager allows unauthenticated users to log in as any us

Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.

Published 2024-05-22 23:15:09

Updated 2024-07-11 15:05:35

Source HackerOne

View at NVD, CVE.org

Products affected by CVE-2024-29849

Please log in to view affected product information.

EPSS FAQ

52.72%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	HackerOne	2024-05-22
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

https://veeam.com/kb4581

KB4581: Veeam Backup Enterprise Manager Vulnerabilities (CVE-2024-29849, CVE-2024-29850, CVE-2024-29851, CVE-2024-29852)

CVEs referencing this url

Jump to