CVE-2023-28818

An issue was discovered in Veritas NetBackup IT Analytics 11 before 11.2.0. The application upgrade process included unsigned files that could be exploited and result in a customer installing unauthentic components. A malicious actor could install rogue Collector executable files (aptare.jar or upgrademanager.zip) on the Portal server, which might then be downloaded and installed on collectors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
mitreCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:N/S:U/UI:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
VendorProductVersion
veritasaptare_it_analytics
𝑥
< 10.6.00
veritasnetbackup_it_analytics
11.0.00
veritasnetbackup_it_analytics
11.1.00
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.veritas.com/content/support/en_US/security/VTS23-002
https://www.veritas.com/content/support/en_US/security/VTS23-002