bacula CVE Vulnerabilities & Metrics

Focus on bacula vulnerabilities and metrics.

Last updated: 21 Aug 2025, 22:25 UTC

About bacula Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with bacula. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total bacula CVEs: 2
Earliest CVE date: 20 Sep 2005, 22:03 UTC
Latest CVE date: 29 Jul 2025, 20:15 UTC

Latest CVE reference: CVE-2025-45346

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical bacula CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.51

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	2
7.0-8.9	2
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS bacula CVEs

These are the five CVEs with the highest CVSS scores for bacula, sorted by severity first and recency.

CVE-2017-15367 bacula Published on 07 Mar 2018, 20:29 UTC (CVSS: 7.5)
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.
CVE-2014-8295 bacula Published on 15 Oct 2014, 14:55 UTC (CVSS: 7.5)
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
CVE-2008-5373 bacula Published on 08 Dec 2008, 23:30 UTC (CVSS: 6.9)
mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mtx.##### temporary file, probably a related issue to CVE-2005-2995.
CVE-2012-4430 bacula Published on 10 Oct 2012, 18:55 UTC (CVSS: 4.0)
The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors.
CVE-2005-2995 bacula Published on 20 Sep 2005, 22:03 UTC (CVSS: 3.6)
bacula 1.36.3 and earlier allows local users to modify or read sensitive files via symlink attacks on (1) the temporary file used by autoconf/randpass when openssl is not available, or (2) the mtx.[PID] temporary file in mtx-changer.in.

All CVEs for bacula

CVE-2025-45346 bacula vulnerability CVSS: 0 29 Jul 2025, 20:15 UTC

SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.

CVE-2017-15367 bacula vulnerability CVSS: 7.5 07 Mar 2018, 20:29 UTC

Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.

CVE-2014-8295 bacula vulnerability CVSS: 7.5 15 Oct 2014, 14:55 UTC

SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.

CVE-2012-4430 bacula vulnerability CVSS: 4.0 10 Oct 2012, 18:55 UTC

The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors.

CVE-2008-5373 bacula vulnerability CVSS: 6.9 08 Dec 2008, 23:30 UTC

mtx-changer.Adic-Scalar-24 in bacula-common 2.4.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/mtx.##### temporary file, probably a related issue to CVE-2005-2995.

CVE-2007-5626 bacula vulnerability CVSS: 2.1 23 Oct 2007, 16:46 UTC

make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL password as a command line argument, and sometimes transmits cleartext e-mail containing this command line, which allows context-dependent attackers to obtain the password by listing the process and its arguments, or by sniffing the network.

CVE-2005-2995 bacula vulnerability CVSS: 3.6 20 Sep 2005, 22:03 UTC

bacula 1.36.3 and earlier allows local users to modify or read sensitive files via symlink attacks on (1) the temporary file used by autoconf/randpass when openssl is not available, or (2) the mtx.[PID] temporary file in mtx-changer.in.