CVE-2022-45454: 
Acronis Cyber Protect vulnerability analysis and mitigation

Sensitive information disclosure vulnerability (CVE-2022-45454) affects Acronis Agent (Windows) before build 30161 and Acronis Cyber Protect 15 (Windows) before build 30984. The vulnerability stems from insecure folder permissions that could lead to unauthorized access to sensitive information (NVD Database, CVE Database).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. However, Acronis International GmbH assessed it with a lower CVSS score of 2.2 (LOW) with vector string CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N. The vulnerability is categorized under CWE-276 (Incorrect Default Permissions) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD Database).

The vulnerability allows unauthorized access to sensitive information due to incorrectly configured folder permissions in the affected Acronis products. This could potentially lead to the exposure of confidential data to unauthorized actors (NVD Database).

The vulnerability has been addressed in Acronis Agent (Windows) build 30161 and later, and Acronis Cyber Protect 15 (Windows) build 30984 and later. Users are advised to upgrade to these or newer versions to mitigate the vulnerability (NVD Database).