CVE-2022-36991: 
Veritas NetBackup Client vulnerability analysis and mitigation

An issue was discovered in Veritas NetBackup versions 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1 (and related NetBackup products). The vulnerability (CVE-2022-36991) was disclosed on July 28, 2022, and allows an attacker with authenticated access to a NetBackup Client to arbitrarily write content to a partially controlled path on a NetBackup Primary server (AttackerKB, Veritas Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N), indicating a high severity issue. The attack vector is network-based with low attack complexity, requires low privileges, and no user interaction. The scope is unchanged, with no impact on confidentiality, high impact on integrity, and no impact on availability (Veritas Advisory).

The vulnerability allows an authenticated attacker to write arbitrary content to a partially controlled path on a NetBackup Primary server, potentially compromising the integrity of the system. This could lead to unauthorized file modifications and potential system compromise (Veritas Advisory).

Veritas has released HotFixes for affected versions including NetBackup 8.1.2, 8.2, 8.3.0.1, 8.3.0.2, 9.0.0.1, and 9.1.0.1. Users are advised to apply the appropriate HotFix to Primary servers as well as all Media servers. For versions prior to 8.1.2, users should upgrade to a newer version and apply the corresponding NetBackup HotFix (Veritas Advisory).