CVE-2024-13976

A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15.

CVSS

No CVSS.

References

Link	Resource
https://documentation.commvault.com/securityadvisories/CV_2024_09_2.html
https://www.vulncheck.com/advisories/commvault-for-windows-maintenance-installer-dll-injection

Configurations

No configuration.

History

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección de DLL en Commvault para Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0 y 11.36.0. Durante la instalación de actualizaciones de mantenimiento, un atacante con acceso local podría aprovechar una ruta de búsqueda no controlada o un comportamiento de carga de DLL para ejecutar código arbitrario con privilegios elevados. La vulnerabilidad se ha resuelto en las versiones 11.20.202, 11.28.124, 11.32.65, 11.34.37 y 11.36.15.

25 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-25 16:15

Updated : 2025-07-29 14:14

NVD link : CVE-2024-13976

Mitre link : CVE-2024-13976

CVE.ORG link : CVE-2024-13976

JSON object : View

Products Affected

No product.

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2024-13976", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-25T16:15:27.690", "references": [{"url": "https://documentation.commvault.com/securityadvisories/CV_2024_09_2.html", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/commvault-for-windows-maintenance-installer-dll-injection", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges.\u00a0The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de DLL en Commvault para Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0 y 11.36.0. Durante la instalaci\u00f3n de actualizaciones de mantenimiento, un atacante con acceso local podr\u00eda aprovechar una ruta de b\u00fasqueda no controlada o un comportamiento de carga de DLL para ejecutar c\u00f3digo arbitrario con privilegios elevados. La vulnerabilidad se ha resuelto en las versiones 11.20.202, 11.28.124, 11.32.65, 11.34.37 y 11.36.15."}], "lastModified": "2025-07-29T14:14:55.157", "sourceIdentifier": "disclosure@vulncheck.com"}