[FD] [Full Disclosure] CVE-2024-22901: Default MYSQL Credentials in Vinchin Backup & Recovery v7.2 and Earlier

[Valentin Lobstein via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>]

CVE ID: CVE-2024-22901

Title: Default MYSQL Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Description:
A critical security issue, identified as CVE-2024-22901, has been discovered in 
Vinchin Backup & Recovery version 7.2. The software has been found to use 
default MYSQL credentials, which could lead to significant security risks.

Additional Information:
Vinchin has not addressed previous disclosures, including CVE-2022-35866, and 
has not patched the reported vulnerabilities. The presence of these unresolved 
issues, now compounded by the newly discovered vulnerability of default MYSQL 
credentials, opens up potential avenues for easy unauthenticated Remote Code 
Execution (RCE). This lack of response is alarming for a product that is 
certified in cybersecurity and poses a considerable risk to its users.

Vulnerability Type:
Incorrect Access Control

Vendor of Product:
Vinchin

Affected Product Code Base:
Vinchin Backup & Recovery - Version 7.2

Affected Component:
The MySQL database used by Vinchin Backup & Recovery

Attack Type:
Remote

Impact - Escalation of Privileges:
True

Attack Vectors:
The vulnerability can be exploited via local or remote access, utilizing the 
unpatched default MySQL credentials.

Discoverer:
Valentin Lobstein

Reference:
http://vinchin.com

Conclusion:
The discovery of CVE-2024-22901 highlights a critical oversight in Vinchin 
Backup & Recovery's security posture. Users are advised to be cautious and to 
monitor for any updates or patches from Vinchin, which should be applied 
immediately to mitigate this risk.

Signed,Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/