// For flags

CVE-2021-34993

Commvault CommCell CVSearchService Authentication Bypass Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-13706.

Esta vulnerabilidad permite a atacantes remotos omitir la autenticación en las instalaciones afectadas de Commvault CommCell versión 11.22.22. No es requerida una autenticación para explotar esta vulnerabilidad. El fallo específico se presenta en el servicio CVSearchService. El problema es debido a una falta de comprobación apropiada antes de la autenticación. Un atacante puede aprovechar esta vulnerabilidad para omitir la autenticación en el sistema. Fue ZDI-CAN-13706

This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the CVSearchService service. The issue results from the lack of proper validation prior to authentication. An attacker can leverage this vulnerability to bypass authentication on the system.

*Credits: Brandon Perry, Justin Kennedy and Steven Seeley of Source Incite
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-17 CVE Reserved
  • 2021-11-22 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-11-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
References (1)
URL Tag Source
https://www.zerodayinitiative.com/advisories/ZDI-21-1328 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Commvault
Search vendor "Commvault"
 Commcell
Search vendor "Commvault" for product "Commcell"
 11.22.22
Search vendor "Commvault" for product "Commcell" and version "11.22.22"
-
Affected