CVE-2024-29855
CVE-2024-29855
In short
Veeam Recovery Orchestrator contains a hard-coded JWT secret that attackers can use to forge authentication tokens and bypass login requirements, allowing unauthorized access to the system.
Technical detail
The application uses a hard-coded JWT secret (CWE-798) for token generation, enabling attackers to craft valid authentication tokens without credentials. This allows direct authentication bypass and full system compromise without requiring valid user credentials or interaction.
Summary generated and translated by AI from the official description.
Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Veeam · Recovery Orchestratorpublic PoCs found — 1
githubgithub.com/sinsinology/CVE-2024-29855★ 20⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.veeam.com/kb4585