Low-Privileged Role Users Can Access Plans from Unauthorized Scope
CVE-2024-22021

4.3MEDIUM

Key Information:

Vendor: Veeam
Status: Recovery Orchestrator; Disaster Recovery Orchestrator; Availability Orchestrator; Recovery Orchestrator
Vendor: CVE Published:; 7 February 2024

Summary

Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to.

Affected Version(s)

Availability Orchestrator 4

Disaster Recovery Orchestrator 5

Recovery Orchestrator 7

References

https://veeam.com/kb4541

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 7, 2024
Vulnerability Reserved
Jan 4, 2024