CVE-2023-38547
CVE-2023-38547
In short
An unauthenticated attacker can discover sensitive SQL server connection details used by Veeam ONE, potentially leading to remote code execution on the database server. This is critical because it exposes database credentials without requiring any login.
Technical detail
CWE-200 information disclosure vulnerability in Veeam ONE allows unauthenticated access to SQL server connection strings and credentials. An attacker can leverage this exposed information to authenticate to the underlying SQL database and achieve remote code execution through SQL injection or database-level exploits, bypassing application-level security controls.
Summary generated and translated by AI from the official description.
A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Veeam · OneWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.veeam.com/kb4508