{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29212", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-03-19T01:04:06.323Z", "datePublished": "2024-05-13T01:07:49.112Z", "dateUpdated": "2024-08-02T01:10:54.643Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Veeam", "product": "Service Provider Console", "versions": [{"version": "8", "status": "affected", "lessThanOrEqual": "8", "versionType": "semver"}, {"version": "7", "status": "affected", "lessThanOrEqual": "7", "versionType": "semver"}]}], "references": [{"url": "https://www.veeam.com/kb4575"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-05-13T01:07:49.112Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29212", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T11:57:03.814114Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"], "vendor": "veeam", "product": "service_provider_console", "versions": [{"status": "affected", "version": "7"}, {"status": "affected", "version": "8"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:58:16.449Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.643Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.veeam.com/kb4575", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.veeam.com/kb4575", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.643Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29212", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-13T11:57:03.814114Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"], "vendor": "veeam", "product": "service_provider_console", "versions": [{"status": "affected", "version": "7"}, {"status": "affected", "version": "8"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-13T12:02:44.080Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "Veeam", "product": "Service Provider Console", "versions": [{"status": "affected", "version": "8", "versionType": "semver", "lessThanOrEqual": "8"}, {"status": "affected", "version": "7", "versionType": "semver", "lessThanOrEqual": "7"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.veeam.com/kb4575"}], "descriptions": [{"lang": "en", "value": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-05-13T01:07:49.112Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29212", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:10:54.643Z", "dateReserved": "2024-03-19T01:04:06.323Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2024-05-13T01:07:49.112Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:veeam:veeam_service_provider_console:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D0E94C5-E9EC-412B-8DE3-26A3FC796C2E", "versionEndExcluding": "7.0.0.19551", "vulnerable": true}, {"criteria": "cpe:2.3:a:veeam:veeam_service_provider_console:*:*:*:*:*:*:*:*", "matchCriteriaId": "524A8202-AA13-4F9D-A0F1-1B3AFFC5532D", "versionEndExcluding": "8.0.0.19552", "versionStartIncluding": "8.0.0.18054", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."}, {"lang": "es", "value": "Debido a un m\u00e9todo de deserializaci\u00f3n inseguro utilizado por el servidor Veeam Service Provider Console (VSPC) en la comunicaci\u00f3n entre el agente de administraci\u00f3n y sus componentes, bajo ciertas condiciones, es posible realizar la ejecuci\u00f3n remota de c\u00f3digo (RCE) en la m\u00e1quina del servidor VSPC."}], "id": "CVE-2024-29212", "lastModified": "2025-06-30T17:53:09.313", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2024-05-14T15:15:43.623", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4575"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.veeam.com/kb4575"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}