CVE-2024-13976
8.5
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Commvault | Commvault for Windows | 11.20.0 < 11.20.202 | affected |
| Commvault | Commvault for Windows | 11.28.0 < 11.28.124 | affected |
| Commvault | Commvault for Windows | 11.32.0 < 11.32.65 | affected |
| Commvault | Commvault for Windows | 11.34.0 < 11.34.37 | affected |
| Commvault | Commvault for Windows | 11.36.0 < 11.36.15 | affected |
Weaknesses
- CWE-427: CWE-427 Uncontrolled Search Path Element
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://documentation.commvault.com/securityadvisories/CV_2024_09_2.html
- https://www.vulncheck.com/advisories/commvault-for-windows-maintenance-installer-dll-injection
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.