The injection occurs in the query string of the request line when accessing the service. An attacker can leverage this vulnerability to execute SQL commands against the NetBackup server. There is also a third-order SQL Injection vulnerability affecting the Detailed Discovery service by abusing CVE-2022-42305. The injection occurs in the query string of the request line when accessing the Detailed Discovery service. An attacker can leverage this to execute SQL commands against the server. Both of these issues were addressed in the 10.0.4 Critical Patch Update. End users should apply the update as soon as possible. For more information, see Critical Patch Update Advisory for Veritas NetBackup and Veritas Backup & Replication - CVE-2022-42302 and CVE-2022-42305.
SQL Injection (CVE-2022-42303)
The injection occurs in the query string of the request line when accessing the service. An attacker can leverage this vulnerability to execute SQL commands against the NetBackup server. There is also a third-order SQL Injection vulnerability affecting the Detailed Discovery service by abusing CVE-2022-42305: The injection occurs in the query string of the request line when accessing the Detailed Discovery service. An attacker can leverage this to execute SQL commands against the server. Both of these issues were addressed in Veritas NetBackup and Veritas Backup & Replication -10.0.4 Critical Patch Update (CVE-2022-42302 and CVE-2022-42305). End users should apply this update as soon as possible. For more information, see Critical Patch Update Advisory for Veritas NetBackup and Veritas Backup & Replication - CVE-2022-42302 and CVE-2022-42305
Timeline
Published on: 10/03/2022 15:15:00 UTC
Last modified on: 10/04/2022 20:58:00 UTC