- Advisory ID: CV_2025_04_2
- Severity: MEDIUM
- Issued: 2025-04-14
- Updated: 2025-04-16
- CVSS Score Range: 5.5
A security vulnerability has been identified in the CommServe and Web Server installation that allows a remote SQL Injection attack without authentication. Other installations in the same system are not compromised by this vulnerability.
CVSS Score: 5.5
Impacted Products
| Product | Platforms | Affected Versions | Resolved Version | Status |
|---|---|---|---|---|
| Commvault | Linux, Windows | 11.32.0 - 11.32.93 | 11.32.94 | Resolved |
| Commvault | Linux, Windows | 11.36.0 - 11.36.51 | 11.36.52 | Resolved |
| Commvault | Linux, Windows | 11.38.0 - 11.38.19 | 11.38.20 | Resolved |
Resolution
To prevent this issue, immediately install the resolved maintenance release for the affected version on the CommServe, Web Servers, and Command Center. This vulnerability does not impact client computers.
For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.
On 11.38 Innovation Release, the issue has been resolved in the following Innovation Update releases:
11.38.20, which includes the fix as of April 10, 2025
11.38.25, which includes the fix as of April 10, 2025
Innovation releases are automatically managed according to predefined schedules, so manual intervention is not required.
If installing the update is not feasible, then isolate the Command Center and Web Server installation from external network access.