CVE-2021-34996

Name of the Vulnerable Software and Affected Versions Commvault CommCell versions 11.22.22

Description The issue is related to incorrect code generation management in the Demo ExecuteProcessOnGroup process of the CommCell storage management software. Exploitation of this issue can allow a remote attacker to execute arbitrary code by sending a specially crafted request. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The flaw exists within the Demo ExecuteProcessOnGroup workflow, allowing an attacker to specify an arbitrary command to be executed, potentially executing code in the context of SYSTEM.

Recommendations For Commvault CommCell version 11.22.22, consider disabling the Demo ExecuteProcessOnGroup workflow as a temporary workaround until a patch is available. Restrict access to the workflow to minimize the risk of exploitation. Avoid using the workflow to execute arbitrary commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.