CVE-2024-47977

Vulnerability

Dell Avamar and Dell Avamar Virtual Edition contain an SQL injection vulnerability in versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869. The flaw exists in code that fails to properly neutralize special elements used in an SQL command. A low-privileged attacker can exploit this via remote access without requiring user interaction.

Exploitation

An attacker must have low-privileged remote access to the Avamar management interface. No authentication bypass is needed; the attacker can use existing low-privilege credentials to craft malicious SQL inputs. The exploitation requires sending specially crafted requests to the vulnerable component, which then fails to sanitize the input before executing SQL commands.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the underlying server. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) indicates high confidentiality impact (information disclosure), no integrity impact, and low availability impact. The attacker can read sensitive database contents but cannot directly modify data or cause a full denial of service.

Mitigation

Dell has released patches: apply patch 338905 for version 19.12, or patch 338869 for versions 19.10 and 19.10SP1. The fix is available through Dell's support portal as described in DSA-2024-489 [1]. No workaround is provided. Upgrade to the patched version immediately.