CVE-2024-29855 — Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrato... | CVE Daily

Critical CVSS 9.0

Overview

Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator

CWE: CWE-798 Published: 2024-06-11T04:15:12.953

Risk analysis

This vulnerability is rated 🔴 CRITICAL.

CVSS: 9.0 (CRITICAL)
Detected tags: jwt, unauth_access (tag impact: HIGH)

Recommended actions:

Use strong algorithms (HS256/RS256), rotate secrets, short expiries.
Enforce authentication/authorization; reduce default endpoint exposure.

Recommended tools

Tags