{"api_version":"1","generated_at":"2026-04-23T01:30:51+00:00","cve":"CVE-2017-8895","urls":{"html":"https://cve.report/CVE-2017-8895","api":"https://cve.report/api/cve/CVE-2017-8895.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-8895","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-8895"},"summary":{"title":"CVE-2017-8895","description":"In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-05-10 21:29:00","updated_at":"2021-08-12 16:22:00"},"problem_types":["CWE-416"],"metrics":[],"references":[{"url":"http://www.securitytracker.com/id/1038561","name":"1038561","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Veritas BackupExec Use-After-Free Memory Error Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1","name":"https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"VTS17-006: Use-After-Free Vulnerability in Multiple Veritas Backup Exec Agents | Veritas™","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/98386","name":"98386","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Veritas Backup Exec Use After Free Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/42282/","name":"42282","refsource":"EXPLOIT-DB","tags":["Third Party Advisory","VDB Entry"],"title":"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit) - Windows remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-8895","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-8895","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_15","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_15","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_16","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_16","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_2014","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"8895","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"veritas","cpe5":"backup_exec_2014","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-8895","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"98386","refsource":"BID","url":"http://www.securityfocus.com/bid/98386"},{"name":"https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1","refsource":"CONFIRM","url":"https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1"},{"name":"1038561","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1038561"},{"name":"42282","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/42282/"}]}},"nvd":{"publishedDate":"2017-05-10 21:29:00","lastModifiedDate":"2021-08-12 16:22:00","problem_types":["CWE-416"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.1142.1327","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*","versionEndExcluding":"14.1.1786.1126","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*","versionEndExcluding":"14.2.1180.3160","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"8895","Ordinal":"105834","Title":"CVE-2017-8895","CVE":"CVE-2017-8895","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"8895","Ordinal":"1","NoteData":"In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"8895","Ordinal":"2","NoteData":"2017-05-10","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"8895","Ordinal":"3","NoteData":"2020-09-24","Type":"Other","Title":"Modified"}]}}}