CVE-2017-15367 in Bacula-Web
Summary
by MITRE
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/13/2025
Bacula-web represents a web-based interface for managing Bacula backup systems, which are widely deployed enterprise backup solutions used to protect critical data assets across organizations. The vulnerability identified as CVE-2017-15367 affects versions prior to 8.0.0-rc2 and stems from inadequate input validation mechanisms within the web application's database interaction components. This flaw manifests as multiple SQL injection vulnerabilities that arise when user-supplied data is directly incorporated into SQL query constructions without proper sanitization or parameterization. The vulnerability exists at the application layer where web requests are processed and translated into database operations, creating an attack surface that can be exploited by malicious actors to manipulate database queries through crafted inputs.
The technical exploitation of these SQL injection vulnerabilities allows attackers to execute arbitrary SQL commands against the Bacula database backend, potentially enabling unauthorized data access, modification, or deletion operations. Depending on the database user permissions and system configuration, successful exploitation could lead to privilege escalation scenarios where attackers gain elevated access rights within the server environment. The vulnerability specifically targets the web interface's handling of user inputs that are subsequently used in database queries, making it particularly dangerous as it can be exploited through standard web application attack vectors without requiring specialized tools or deep system knowledge. Attackers can leverage these injection points to extract sensitive backup configuration data, access backup job logs, or potentially manipulate backup schedules and policies.
From an operational impact perspective, the vulnerability poses significant risks to enterprise backup environments where Bacula-web serves as the primary management interface. Organizations relying on these systems face potential data breaches, compliance violations, and operational disruptions if backup data becomes compromised or manipulated. The attack surface extends beyond simple data theft to include potential service disruption through database corruption or unauthorized access to backup storage locations. According to CWE classification, this vulnerability maps to CWE-89 SQL Injection, which is categorized under the weakness type of "Input Validation and Representation" and is particularly concerning due to its potential for privilege escalation. The ATT&CK framework categorizes this as a technique involving "SQL Injection" under the "Command and Control" and "Credential Access" phases, demonstrating how attackers can leverage such vulnerabilities to establish persistent access to backup systems.
Mitigation strategies for CVE-2017-15367 require immediate patching of affected Bacula-web installations to version 8.0.0-rc2 or later, which includes proper input sanitization and parameterized query implementations. Organizations should also implement network segmentation to limit access to Bacula-web interfaces, enforce strong authentication mechanisms, and conduct regular security assessments of backup management systems. Additionally, database access controls should be strictly enforced, limiting the privileges of database users to only those required for Bacula operations. Security monitoring should be enhanced to detect unusual database query patterns that may indicate exploitation attempts, and regular backup integrity checks should be implemented to verify the consistency of backup data. The vulnerability highlights the importance of secure coding practices in web applications and demonstrates how seemingly simple input validation failures can create substantial security risks in enterprise backup infrastructure.