{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-34136", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.562Z", "datePublished": "2025-07-25T15:49:23.837Z", "dateUpdated": "2025-11-19T01:28:56.047Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["CVWebService"], "platforms": ["Linux", "Windows"], "product": "Commvault", "vendor": "Commvault", "versions": [{"lessThanOrEqual": "11.32.93", "status": "affected", "version": "11.32.0", "versionType": "semver"}, {"lessThanOrEqual": "11.36.51", "status": "affected", "version": "11.36.0", "versionType": "semver"}, {"lessThanOrEqual": "11.38.19", "status": "affected", "version": "11.38.0", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.32.93", "versionStartIncluding": "11.32.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.36.51", "versionStartIncluding": "11.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.38.19", "versionStartIncluding": "11.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.</p>"}], "value": "An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}, {"capecId": "CAPEC-137", "descriptions": [{"lang": "en", "value": "CAPEC-137 Parameter Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:28:56.047Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/commvault-commserve-web-server-unauth-sqli"}], "source": {"discovery": "UNKNOWN"}, "title": "Commvault CommServe Web Server Unauthenticated SQL Injection", "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-25T18:30:37.202196Z", "id": "CVE-2025-34136", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T18:31:26.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34136", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-25T18:30:37.202196Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-25T18:30:54.527Z"}}], "cna": {"title": "Commvault CommServe Web Server Unauthenticated SQL Injection", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}, {"capecId": "CAPEC-137", "descriptions": [{"lang": "en", "value": "CAPEC-137 Parameter Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Commvault", "modules": ["CVWebService"], "product": "Commvault", "versions": [{"status": "affected", "version": "11.32.0", "versionType": "semver", "lessThanOrEqual": "11.32.93"}, {"status": "affected", "version": "11.36.0", "versionType": "semver", "lessThanOrEqual": "11.36.51"}, {"status": "affected", "version": "11.38.0", "versionType": "semver", "lessThanOrEqual": "11.38.19"}], "platforms": ["Linux", "Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html", "tags": ["vendor-advisory", "patch"]}, {"url": "https://www.vulncheck.com/advisories/commvault-commserve-web-server-unauth-sqli", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.", "supportingMedia": [{"type": "text/html", "value": "<p>An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "11.32.93", "versionStartIncluding": "11.32.0"}, {"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "11.36.51", "versionStartIncluding": "11.36.0"}, {"criteria": "cpe:2.3:a:commvault:commvault:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "11.38.19", "versionStartIncluding": "11.38.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-11-19T01:28:56.047Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34136", "state": "PUBLISHED", "dateUpdated": "2025-11-19T01:28:56.047Z", "dateReserved": "2025-04-15T19:15:22.562Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-07-25T15:49:23.837Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n SQL en el componente de servidor web de Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51 y 11.38.0 - 11.38.19, que permite a un atacante remoto no autenticado realizar una inyecci\u00f3n SQL. La vulnerabilidad afecta a los sistemas donde est\u00e1n instalados los roles CommServe y Servidor web. Otros componentes de Commvault implementados en el mismo entorno no se ven afectados."}], "id": "CVE-2025-34136", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-07-25T16:15:28.650", "references": [{"source": "disclosure@vulncheck.com", "url": "https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/commvault-commserve-web-server-unauth-sqli"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{}