cbcvebase.
CVE-2017-15367
published 2018-03-07

CVE-2017-15367: Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.26%
97.6th percentile
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.

Affected

3 ranges
VendorProductVersion rangeFixed in
bacula-webbacula-web>= 0 < 8.0.0-rc28.0.0-rc2
baculabacula-web<= 7.4.0
baculabacula-web

Detection & IOCsextracted from sources · hover to see the quote

path/backupjob-report.php
path/client-report.php
url/client-report.php?period=7&client_id=21%20UNION%20ALL%20SELECT%20NULL,@@version%23
command21 UNION ALL SELECT NULL,@@version#
  • Monitor HTTP GET requests to /client-report.php and /backupjob-report.php for SQL injection patterns in parameters such as 'client_id' and 'backupjob_name', particularly UNION-based payloads and comment terminators (# / %23).
  • Flag requests containing URL-encoded SQL keywords (%20UNION%20ALL%20SELECT%20, %23) in query parameters targeting Bacula-Web endpoints.
  • The 'client_id' parameter in /client-report.php and 'backupjob_name' in /backupjob-report.php are confirmed injectable; treat any non-integer or specially crafted value in these parameters as suspicious.
  • Affected version is Bacula-Web 5.7.19-0ubuntu0.16.04.1; identify unpatched instances (pre-8.0.0-RC2) in the environment as high-priority targets.
  • ·Privilege escalation impact depends on the database user configured for Bacula-Web; a highly privileged DB account significantly increases blast radius.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.