[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 a
From: Valentin Lobstein via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2024-01-25 19:20:45
Message-ID: k6b2LfSVGk503DyTpvGJ6dg8Td7JPqS4E6lYh6tTp_JKvPOycW9XkWyW71ypObS9WRY_Hw9Sl4vHcKozXPZxTmUn0BrteRJjj0OmP-dLiDg= () protonmail ! com
[Download RAW message or body]
CVE ID: CVE-2024-22901
Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2
Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in Vinchin Backup \
& Recovery version 7.2. The software has been found to use default MYSQL credentials, which \
could lead to significant security risks.
Additional Information:
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and has not patched \
the reported vulnerabilities. The presence of these unresolved issues, now compounded by the \
newly discovered vulnerability of default MYSQL credentials, opens up potential avenues for \
easy unauthenticated Remote Code Execution (RCE). This lack of response is alarming for a \
product that is certified in cybersecurity and poses a considerable risk to its users.
Vulnerability Type:
Incorrect Access Control
Vendor of Product:
Vinchin
Affected Product Code Base:
Vinchin Backup & Recovery - Version 7.2
Affected Component:
The MySQL database used by Vinchin Backup & Recovery
Attack Type:
Remote
Impact - Escalation of Privileges:
True
Attack Vectors:
The vulnerability can be exploited via local or remote access, utilizing the unpatched default \
MySQL credentials.
Discoverer:
Valentin Lobstein
Reference:
http://vinchin.com
Conclusion:
The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin Backup & Recovery's \
security posture. Users are advised to be cautious and to monitor for any updates or patches \
from Vinchin, which should be applied immediately to mitigate this risk.
Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic