CVE-2021-34994

Name of the Vulnerable Software and Affected Versions Commvault CommCell version 11.22.22

Description This issue allows remote attackers to execute arbitrary code on affected installations. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider class and results from the lack of proper validation of a user-supplied string before executing it as JavaScript code. An attacker can leverage this issue to escape the JavaScript sandbox and execute Java code in the context of NETWORK SERVICE.

Recommendations For Commvault CommCell version 11.22.22, as a temporary workaround, consider disabling the DataProvider class until a patch is available. Restrict access to the DataProvider class to minimize the risk of exploitation. Avoid using user-supplied strings in the affected JavaScript code until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.