Vulnerabilites related to veeam - veeam_service_provider_console
Vulnerability from fkie_nvd
Published
2024-05-14 15:15
Modified
2025-06-30 17:53
Severity ?
Summary
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://www.veeam.com/kb4575 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.veeam.com/kb4575 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| veeam | veeam_service_provider_console | * | |
| veeam | veeam_service_provider_console | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:veeam:veeam_service_provider_console:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D0E94C5-E9EC-412B-8DE3-26A3FC796C2E",
"versionEndExcluding": "7.0.0.19551",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:veeam:veeam_service_provider_console:*:*:*:*:*:*:*:*",
"matchCriteriaId": "524A8202-AA13-4F9D-A0F1-1B3AFFC5532D",
"versionEndExcluding": "8.0.0.19552",
"versionStartIncluding": "8.0.0.18054",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."
},
{
"lang": "es",
"value": "Debido a un m\u00e9todo de deserializaci\u00f3n inseguro utilizado por el servidor Veeam Service Provider Console (VSPC) en la comunicaci\u00f3n entre el agente de administraci\u00f3n y sus componentes, bajo ciertas condiciones, es posible realizar la ejecuci\u00f3n remota de c\u00f3digo (RCE) en la m\u00e1quina del servidor VSPC."
}
],
"id": "CVE-2024-29212",
"lastModified": "2025-06-30T17:53:09.313",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "support@hackerone.com",
"type": "Secondary"
}
]
},
"published": "2024-05-14T15:15:43.623",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.veeam.com/kb4575"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.veeam.com/kb4575"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-04 02:15
Modified
2025-07-02 20:34
Severity ?
Summary
A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://www.veeam.com/kb4649 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| veeam | veeam_service_provider_console | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:veeam:veeam_service_provider_console:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50FFBB24-D779-42F4-8874-3905AA3ABF75",
"versionEndExcluding": "8.1.0.21377",
"versionStartIncluding": "7.0.0.12777",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources."
},
{
"lang": "es",
"value": " Se ha identificado una vulnerabilidad en Veeam Service Provider Console, que permite realizar solicitudes HTTP arbitrarias a hosts arbitrarios de la red y obtener informaci\u00f3n sobre recursos internos."
}
],
"id": "CVE-2024-45206",
"lastModified": "2025-07-02T20:34:43.323",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "support@hackerone.com",
"type": "Secondary"
}
]
},
"published": "2024-12-04T02:15:05.427",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.veeam.com/kb4649"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2024-29212 (GCVE-0-2024-29212)
Vulnerability from cvelistv5
Published
2024-05-13 01:07
Modified
2024-08-02 01:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.veeam.com/kb4575 |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Veeam | Service Provider Console |
Version: 8 ≤ 8 Version: 7 ≤ 7 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "service_provider_console",
"vendor": "veeam",
"versions": [
{
"status": "affected",
"version": "7"
},
{
"status": "affected",
"version": "8"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T11:57:03.814114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:16.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.veeam.com/kb4575"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Service Provider Console",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "8",
"status": "affected",
"version": "8",
"versionType": "semver"
},
{
"lessThanOrEqual": "7",
"status": "affected",
"version": "7",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T01:07:49.112Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4575"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2024-29212",
"datePublished": "2024-05-13T01:07:49.112Z",
"dateReserved": "2024-03-19T01:04:06.323Z",
"dateUpdated": "2024-08-02T01:10:54.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45206 (GCVE-0-2024-45206)
Vulnerability from cvelistv5
Published
2024-12-04 01:06
Modified
2025-03-13 18:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.veeam.com/kb4649 |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Veeam | Service Provider Console |
Version: 8.0 ≤ 8.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "service_provider_console",
"vendor": "veeam",
"versions": [
{
"lessThanOrEqual": "8.0.0.19552",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T16:04:40.305592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T18:36:04.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Service Provider Console",
"vendor": "Veeam",
"versions": [
{
"lessThanOrEqual": "8.0",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T01:06:04.650Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4649"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2024-45206",
"datePublished": "2024-12-04T01:06:04.650Z",
"dateReserved": "2024-08-23T01:00:01.061Z",
"dateUpdated": "2025-03-13T18:36:04.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}