CVE-2024-47484

Vulnerability

Dell Avamar (and Avamar Virtual Edition) versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, are affected by an improper neutralization of special elements used in an SQL command (SQL injection) vulnerability [1]. The vulnerability exists in an unspecified component reachable over the network without authentication.

Exploitation

An unauthenticated attacker with remote network access can exploit this vulnerability by sending crafted SQL queries to the affected component. No user interaction or special privileges are required. The CVSS vector indicates low attack complexity and no privileges required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the underlying system. The CVSS score is 8.2 (High) with impacts to confidentiality (High) and availability (Low), but no direct impact on integrity [1]. The attacker gains command execution capability, potentially leading to full system compromise.

Mitigation

Dell has released patches: apply patch 338905 for version 19.12, or patch 338869 for versions 19.10 and 19.10SP1. Users should upgrade to the fixed versions as per the advisory [1]. No workarounds are mentioned.