This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2021_08_1
- Title: Authentication Bypass Vulnerabilities on CVWebService Endpoint
- Severity: MEDIUM
- Issued: 2021-08-08
- Updated: 2021-08-08
- CVSS Score Range: 4.0 - 6.9
The following security vulnerabilities were reported with Commvault’s CVWebService Web Server endpoint: - Authentication bypass on a subset of web server APIs allows unauthorized users to download files from the web server. - CommCell users that do not have administrator permissions can upload files to the Download Center or to Commvault App Studio.
Impacted Products
This vulnerability affects the Commvault Web Server on Service Pack 16 and Feature Releases 11.20-11.24.
Resolution
To fix these vulnerabilities, download and install the following maintenance release (or a more recent release), for your Feature Release on the CommServe and Web Server.
Feature Release | Maintenance Release |
|---|---|
11.24 | 7 |
11.23 | 21 |
11.22 | 36 |
11.20 | 64 |
SP16 | 116 |