CVE-2021-34995

Name of the Vulnerable Software and Affected Versions Commvault CommCell version 11.22.22

Description This issue allows remote attackers to execute arbitrary code on affected installations. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. The specific flaw exists within the DownloadCenterUploadHandler class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this issue to execute code in the context of NETWORK SERVICE.

Recommendations For Commvault CommCell version 11.22.22, consider disabling the DownloadCenterUploadHandler class until a patch is available to prevent the upload of arbitrary files and mitigate the risk of remote code execution. Restrict access to the DownloadCenterUploadHandler class to minimize the risk of exploitation. Avoid using the vulnerable class until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.