Authentication Bypass in Vinchin Backup and Recovery by Vinchin
CVE-2022-35866

9.8CRITICAL

Key Information:

Vendor

Vinchin

Vendor
CVE Published:
3 August 2022

What is CVE-2022-35866?

A significant security concern has been identified in Vinchin Backup and Recovery versions prior to 7.2, where remote attackers can exploit a weak configuration in the MySQL server. The issue stems from the use of hard-coded credentials for the administrator user, enabling attackers to bypass authentication without any prior authentication steps. This vulnerability poses a serious risk as it allows unauthorized access to sensitive data and system controls, highlighting the importance of securing database configurations appropriately.

Affected Version(s)

Backup and Recovery 6.5.0.17561

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Esjay
.