An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. This issue is currently being tracked under Veritas bug id VB100005. An advisory with recommended mitigations for this issue can be found here. Vulnerability found in other Veritas products An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a SQL Injection attack affecting the NBFSMNAMES service. An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database

Description of the vulnerability

An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. This is a SQL Injection vulnerability that affects the NBFSMNAMES service. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. This issue is currently being tracked under Veritas bug ID VB100005. Vulnerability found in other Veritas products An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a SQL Injection attack affecting the NBFSMNAMES service. An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database

SQL Injection

SQL injection is a form of injection attack in which malicious code is inserted into an application via an SQL query.
This vulnerability can be used by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. This issue is currently being tracked under Veritas bug id VB104004. An advisory with recommended mitigations for this issue can be found here.
Vulnerability found in other NetBackup products
The following versions of NetBackup are affected by this vulnerability:
* 9.0 through 10.2
* 11.0 through 11.4
* 12.1 through 12.3

Bug Finding and Exploitation Techniques

This vulnerability is located in the NBFSMNAMES service. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. This issue is currently being tracked under Veritas bug id VB100005. An advisory with recommended mitigations for this issue can be found here.

Vulnerability found in Veritas Backup Exec

A vulnerability in the way backup jobs are accepted in Veritas Backup Exec was discovered by exploiting a SQL Injection. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. An authenticated user with a valid username and password can execute arbitrary SQL commands in the database. The SQL Injection can be exploited by remote attackers to access sensitive data, create new user accounts or escalate their privileges. A remote attacker can exploit this vulnerability to inject and execute SQL commands in the database. This issue is currently being tracked under Veritas bug id VB105044. An advisory with recommended mitigations for this issue can be found here.

Timeline

Published on: 10/03/2022 15:15:00 UTC
Last modified on: 10/05/2022 14:46:00 UTC

References