CVE-2020-15419
Veeam ONE Reporter_ImportLicense Page_Load XML External Entity Processing Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE 10.0.0.750_20200415. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM. Was ZDI-CAN-10710.
Esta vulnerabilidad permite a atacantes remotos revelar información confidencial sobre las instalaciones afectadas de Veeam ONE versión 10.0.0.750_20200415. No es requerida una autenticación para explotar esta vulnerabilidad. El fallo específico se presenta dentro de la clase Reporter_ImportLicense. Debido a la restricción inapropiada de referencias XML External Entity (XXE), un documento especialmente diseñado que especifica un URI causa que el analizador XML acceda al URI e inserte el contenido nuevamente en el documento XML para su posterior procesamiento. Un atacante puede aprovechar esta vulnerabilidad para revelar el contenido del archivo en el contexto de SYSTEM. Fue ZDI-CAN-10710
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Veeam ONE. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Reporter_ImportLicense class. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose file contents in the context of SYSTEM.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-30 CVE Reserved
- 2020-07-08 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://www.zerodayinitiative.com/advisories/ZDI-20-822 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.veeam.com/kb3221 | 2020-08-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Veeam Search vendor "Veeam" | One Firmware Search vendor "Veeam" for product "One Firmware" | < 9.5.4.4587 Search vendor "Veeam" for product "One Firmware" and version " < 9.5.4.4587" | - |
Affected
| in | Veeam Search vendor "Veeam" | One Search vendor "Veeam" for product "One" | - | - |
Safe
|
Veeam Search vendor "Veeam" | One Firmware Search vendor "Veeam" for product "One Firmware" | >= 10.0.0.0 < 10.0.0.750 Search vendor "Veeam" for product "One Firmware" and version " >= 10.0.0.0 < 10.0.0.750" | - |
Affected
| in | Veeam Search vendor "Veeam" | One Search vendor "Veeam" for product "One" | - | - |
Safe
|