CVE-2024-22021 - OpenCVE

Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Veeam	Recovery Orchestrator Availability Orchestrator Disaster Recovery Orchestrator

Configuration 1 [-]

OR	cpe:2.3:a:veeam:availability_orchestrator:4.0:::::::*
	cpe:2.3:a:veeam:disaster_recovery_orchestrator:5.0:::::::*
	cpe:2.3:a:veeam:recovery_orchestrator:6.0:::::::*

References

Link	Resource
https://veeam.com/kb4541	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2024-02-07T00:53:30.493Z

Updated: 2024-07-05T17:21:38.648Z

Reserved: 2024-01-04T01:04:06.574Z

Link: CVE-2024-22021

JSON object: View

NVD Information

Status : Modified

Published: 2024-02-07T01:15:08.320

Modified: 2024-02-29T01:44:04.690

Link: CVE-2024-22021

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:availability_orchestrator:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7173B6BA-2373-4A7B-8B4B-700198F7FAD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:disaster_recovery_orchestrator:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C71310C-CACF-4575-AB51-D6B747C09F73", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:recovery_orchestrator:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DD6C8BF-9CAA-44C7-B621-3EBECEEDCD0B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability\u202fCVE-2024-22021 allows\u202fa\u202fVeeam Recovery Orchestrator user with a low\u202fprivileged\u202frole (Plan\u202fAuthor)\u202fto retrieve\u202fplans\u202ffrom\u202fa\u202fScope other than the one they are assigned to. \n"}, {"lang": "es", "value": "La vulnerabilidad CVE-2024-22021 permite a un usuario de Veeam Recovery Orchestrator con un rol de privilegios bajos (Autor del plan) recuperar planes de un \u00e1mbito distinto al que est\u00e1n asignados."}], "id": "CVE-2024-22021", "lastModified": "2024-02-29T01:44:04.690", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "support@hackerone.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-07T01:15:08.320", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://veeam.com/kb4541"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}