Commvault Web Server Unauthenticated SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Commvault Web Server component, affecting versions 11.32.0 prior to 11.32.93, 11.36.0 prior to 11.36.51, and 11.38.0 prior to 11.38.19. This vulnerability allows remote, unauthenticated attackers to perform SQL injection attacks on systems where the CommServe and Web Server roles are installed. Other Commvault components in the same environment are not affected.

Impact

Exploitation of this vulnerability allows for SQL injection, which could be used to manipulate database queries and potentially access or modify database information.

Remediation

Users are advised to update to Commvault versions 11.32.94, 11.36.52, or 11.38.20. For more information on installing Commvault software updates, refer to the Commvault documentation on 'Installing Commvault Software Updates on Demand'. If the update cannot be applied, isolate the Command Center and Web Server installation from external network access.