CVE-2021-34997

Name of the Vulnerable Software and Affected Versions Commvault CommCell version 11.22.22

Description This issue allows remote attackers to execute arbitrary code on affected installations. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the AppStudioUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this issue to execute code in the context of NETWORK SERVICE.

Recommendations For Commvault CommCell version 11.22.22, consider disabling the AppStudioUploadHandler class as a temporary workaround until a patch is available. Restrict access to the vulnerable class to minimize the risk of exploitation. Avoid using the vulnerable functionality in the affected installations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.