Avamar SQL Injection Vulnerability Could Lead to Command Execution
CVE-2024-47977

8.8HIGH

Key Information:

Vendor: Dell
Status: Avamar
Vendor: CVE Published:; 10 December 2024

Summary

Dell Avamar versions 19.x are susceptible to an SQL injection vulnerability that allows low privileged attackers with remote access to exploit the system. This weakness arises from improper neutralization of special elements utilized in SQL commands. Successful exploitation could facilitate command execution, potentially compromising the integrity and security of the data managed by Avamar. Users are advised to apply available security updates to mitigate the risk associated with this vulnerability.

Affected Version(s)

Avamar 19.4

Avamar 19.7

Avamar 19.8

References

https://www.dell.com/support/kbdoc/en-us/000258636/dsa-20...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Oct 8, 2024

Credit

Dell would like to thank Kentaro Kawane of GMO Cybersecurity by Ierae working with Trend Micro Zero Day Initiative for reporting this issue.