Veeam Patches Two Critical Bugs in Veeam ONE
Data resiliency specialist Veeam has released hotfixes to resolve four newly discovered vulnerabilities in its flagship IT monitoring and analytics tool, two of which are rated critical.
In a security update yesterday, the firm revealed CVE-2023-38547, a CVSS 9.9-rated flaw in Veeam ONE 11, 11a and 12.
“A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database,” it explained.
The second critical bug (CVE-2023-38548) affects Veeam ONE version 12 and has a CVSS score of 9.8.
“A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service,” Veeam said.
Read more on Veeam bugs: Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App
The remaining two vulnerabilities are rated “medium” severity. The first, CVE-2023-38549, has a CVSS score of 4.5 and affects Veeam ONE 11, 11a and 12. The vendor claimed the criticality of the bug is reduced as it requires a user to interact with the product’s administrator role.
“A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS,” it said.
The second medium-severity bug is CVE-2023-41723, which has a CVSS score of 4.3, and also affects Veeam ONE 11, 11a and 12.
“A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule,” the vendor explained. It added that, in this case, the criticality is reduced because the user with a read-only role is only able to view the schedule and not make changes.