- Advisory ID: CV_2024_08_1
- Severity: CRITICAL
- Issued: 2024-08-05
- Updated: 2024-09-16
We have identified vulnerabilities that causes SQL Injection and Command injection. These are fixed in all supported versions of Commvault software.
With SQL injection, users with no access to the CommCell can execute commands on webserver remotely.
Command injection issue is noticed in the save as script operation.
Impacted Products
| Product | Versions | Platforms | Resolved Versions | Status |
|---|---|---|---|---|
| Commvault | 11.34.0 | Windows | 11.34.36 | resolved |
| Commvault | 11.32.0 | Windows | 11.32.63 | resolved |
| Commvault | 11.28.0 | Windows | 11.28.122 | resolved |
| Commvault | 11.24.0 | Windows | 11.24.153 | resolved |
| Commvault | 11.20.0 | Windows | 11.20.200 | resolved |
Resolution
To resolve this issue, install the following minimum maintenance release version for the affected Platform Release on the CommServe and Web Servers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.