Vulnerability Description
An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The wguest account could execute commands by injecting into PostgreSQL trigger functions. This allowed privilege escalation from the wguest user to the postgres user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaseya | Unitrends Backup | >= 10.0, < 10.5.5 |
Related Weaknesses (CWE)
References
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961Vendor Advisory
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-applianExploitThird Party Advisory
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-applianExploitThird Party Advisory
- https://helpdesk.kaseya.com/hc/en-gb/articles/4412762258961Vendor Advisory
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-applianExploitThird Party Advisory
- https://www.cyberonesecurity.com/blog/exploiting-kaseya-unitrends-backup-applianExploitThird Party Advisory
FAQ
What is CVE-2021-43038?
CVE-2021-43038 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The wguest account could execute commands by injecting into PostgreSQL trigger functions. This allowed privilege escalation ...
How severe is CVE-2021-43038?
CVE-2021-43038 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43038?
Check the references section above for vendor advisories and patch information. Affected products include: Kaseya Unitrends Backup.