Vulnerabilites related to Acronis - Acronis Cyber Backup 12.5
cve-2022-3405
Vulnerability from cvelistv5
Published
2023-05-03 10:49
Modified
2025-02-03 18:23
Severity ?
EPSS score ?
Summary
Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Acronis | Acronis Cyber Protect 15 |
Version: unspecified ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:07:06.478Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SEC-4092", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security-advisory.acronis.com/advisories/SEC-4092", }, { name: "Authentication Bypass with subsequent Remote Command Execution in Acronis Cyber Protect", tags: [ "x_transferred", ], url: "https://herolab.usd.de/security-advisories/usd-2022-0008/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-3405", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-03T18:23:29.274084Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-03T18:23:43.444Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "Windows", "Linux", ], product: "Acronis Cyber Protect 15", vendor: "Acronis", versions: [ { lessThan: "29486", status: "affected", version: "unspecified", versionType: "semver", }, ], }, { defaultStatus: "unaffected", platforms: [ "Windows", "Linux", ], product: "Acronis Cyber Backup 12.5", vendor: "Acronis", versions: [ { lessThan: "16545", status: "affected", version: "unspecified", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Sandro Tolksdorf of usd AG (https://herolab.usd.de)", }, { lang: "en", type: "finder", value: "@boldglum (https://hackerone.com/boldglum)", }, ], descriptions: [ { lang: "en", value: "Code execution and sensitive information disclosure due to excessive privileges assigned to Acronis Agent. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.", }, ], metrics: [ { cvssV3_0: { baseScore: 9.3, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", version: "3.0", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-269", description: "CWE-269", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-03T10:50:39.541Z", orgId: "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", shortName: "Acronis", }, references: [ { name: "SEC-4092", tags: [ "vendor-advisory", ], url: "https://security-advisory.acronis.com/advisories/SEC-4092", }, { name: "Authentication Bypass with subsequent Remote Command Execution in Acronis Cyber Protect", url: "https://herolab.usd.de/security-advisories/usd-2022-0008/", }, ], }, }, cveMetadata: { assignerOrgId: "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", assignerShortName: "Acronis", cveId: "CVE-2022-3405", datePublished: "2023-05-03T10:49:47.642Z", dateReserved: "2022-10-03T16:34:25.515Z", dateUpdated: "2025-02-03T18:23:43.444Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-30995
Vulnerability from cvelistv5
Published
2023-05-03 10:50
Modified
2025-01-30 15:19
Severity ?
EPSS score ?
Summary
Sensitive information disclosure due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-advisory.acronis.com/advisories/SEC-3855 | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Acronis | Acronis Cyber Protect 15 |
Version: unspecified ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:03:40.283Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "SEC-3855", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security-advisory.acronis.com/advisories/SEC-3855", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-30995", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-30T15:19:22.624037Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-30T15:19:32.564Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "Windows", "Linux", ], product: "Acronis Cyber Protect 15", vendor: "Acronis", versions: [ { lessThan: "29486", status: "affected", version: "unspecified", versionType: "semver", }, ], }, { defaultStatus: "unaffected", platforms: [ "Windows", "Linux", ], product: "Acronis Cyber Backup 12.5", vendor: "Acronis", versions: [ { lessThan: "16545", status: "affected", version: "unspecified", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "@boldglum (https://hackerone.com/boldglum)", }, { lang: "en", type: "finder", value: "Sandro Tolksdorf of usd AG (https://herolab.usd.de)", }, ], descriptions: [ { lang: "en", value: "Sensitive information disclosure due to improper authentication. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 29486, Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545.", }, ], metrics: [ { cvssV3_0: { baseScore: 9.3, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", version: "3.0", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-03T10:50:45.883Z", orgId: "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", shortName: "Acronis", }, references: [ { name: "SEC-3855", tags: [ "vendor-advisory", ], url: "https://security-advisory.acronis.com/advisories/SEC-3855", }, ], }, }, cveMetadata: { assignerOrgId: "73dc0fef-1c66-4a72-9d2d-0a0f4012c175", assignerShortName: "Acronis", cveId: "CVE-2022-30995", datePublished: "2023-05-03T10:50:45.883Z", dateReserved: "2022-05-18T07:09:14.532Z", dateUpdated: "2025-01-30T15:19:32.564Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }