Hello guys,
A new vulnerability find in the Web Console component of Veeam Recovery Orchestrator.
Issue Details
CVE-2024-29855
A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges.
Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack.
Severity: Critical
CVSS 3.1 Score: 9.0
Solution
The vulnerability discussed in this article was resolved starting in:
- Veeam Recovery Orchestrator 7.1.0.230
- Veeam Recovery Orchestrator 7.0.0.379
More info in the KB4585, a patch is already available :) : https://www.veeam.com/kb4585