{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-38547", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-07-20T01:00:12.444Z", "datePublished": "2023-11-07T06:17:31.617Z", "dateUpdated": "2023-11-07T06:17:31.617Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "One", "versions": [{"version": "11", "status": "affected", "lessThanOrEqual": "11", "versionType": "semver"}, {"version": "11a", "status": "affected", "lessThanOrEqual": "11a", "versionType": "semver"}, {"version": "12", "status": "affected", "lessThanOrEqual": "12", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4508"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-11-07T06:17:31.617Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:one:11.0.0.1379:*:*:*:*:*:*:*", "matchCriteriaId": "8D1ECDF8-4BAB-4E77-A409-EB5065AB916D", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:one:11.0.1.1880:*:*:*:*:*:*:*", "matchCriteriaId": "CD967DF5-1470-43EF-9465-A2E464F30F88", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:one:12.0.0.2498:*:*:*:*:*:*:*", "matchCriteriaId": "D1C9B702-1613-4570-B9CB-5BF3F7F6B732", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:one:12.0.1.2591:*:*:*:*:*:*:*", "matchCriteriaId": "B1FB1ABE-0179-400B-8EFD-7F84A51B64C8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database."}, {"lang": "es", "value": "Una vulnerabilidad en Veeam ONE permite a un usuario no autenticado obtener informaci\u00f3n sobre la conexi\u00f3n del servidor SQL que Veeam ONE utiliza para acceder a su base de datos de configuraci\u00f3n. Esto puede llevar a la ejecuci\u00f3n remota de c\u00f3digo en el servidor SQL que aloja la base de datos de configuraci\u00f3n de Veeam ONE."}], "id": "CVE-2023-38547", "lastModified": "2023-11-14T19:46:00.150", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-07T07:15:07.387", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.veeam.com/kb4508"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}