'[FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 a'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 a
From:       Valentin Lobstein via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2024-01-25 19:20:45
Message-ID: k6b2LfSVGk503DyTpvGJ6dg8Td7JPqS4E6lYh6tTp_JKvPOycW9XkWyW71ypObS9WRY_Hw9Sl4vHcKozXPZxTmUn0BrteRJjj0OmP-dLiDg= () protonmail ! com
[Download RAW message or body]

CVE ID: CVE-2024-22901

Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup \
& Recovery version 7.2. The software has been found to use default MYSQL credentials, which \
could lead to significant security risks.

Additional Information:
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched \
the reported vulnerabilities. The presence of these unresolved issues, now compounded by the \
newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for \
easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a \
product that is certified in cybersecurity and poses a considerable risk to its users.

Vulnerability Type:
Incorrect Access Control

Vendor of Product:
Vinchin

Affected Product Code Base:
Vinchin Backup & Recovery - Version 7.2

Affected Component:
The MySQL database used by Vinchin Backup & Recovery

Attack Type:
Remote

Impact - Escalation of Privileges:
True

Attack Vectors:
The vulnerability can be exploited via local or remote access, utilizing the unpatched default \
MySQL credentials.

Discoverer:
Valentin Lobstein

Reference:
http://vinchin.com

Conclusion:
The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's \
security posture. Users are advised to be cautious and to monitor for any updates or patches \
from Vinchin, which should be applied immediately to mitigate this risk.

Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 