CVE-2017-18044

Name of the Vulnerable Software and Affected Versions Commvault versions prior to v11 SP6

Description A Command Injection issue was discovered in the ContentStore/Base/CVDataPipe.dll of Commvault. The issue arises from a message parsing function inside the Commvault service that does not properly validate the input of an incoming string before passing it to CreateProcess. This allows a specially crafted message to inject commands that will be executed on the target operating system. Exploitation of this issue does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon.

Recommendations For Commvault versions prior to v11 SP6, update to version v11 SP6 or later to resolve the issue. As a temporary workaround, consider restricting access to the cvd daemon to minimize the risk of exploitation.