CVE-2024-13976

Summary

A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15.

Affected Software

VendorProductVersion RangeStatus
CommvaultCommvault for Windows11.20.0 < 11.20.202affected
CommvaultCommvault for Windows11.28.0 < 11.28.124affected
CommvaultCommvault for Windows11.32.0 < 11.32.65affected
CommvaultCommvault for Windows11.34.0 < 11.34.37affected
CommvaultCommvault for Windows11.36.0 < 11.36.15affected

Weaknesses

  • CWE-427: CWE-427 Uncontrolled Search Path Element

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References