Vulnerability Database

308,926

Total vulnerabilities in the database

CVE-2017-18044

A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.

Published: Jan 19, 2018
Updated: Nov 9, 2025
CVE: CVE-2017-18044
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
commvault / commvault	11.0-sp1	11.0-sp1.x
commvault / commvault	11.0-sp2	11.0-sp2.x
commvault / commvault	11.0-sp3	11.0-sp3.x
commvault / commvault	11.0-sp4	11.0-sp4.x
commvault / commvault	11.0-sp5	11.0-sp5.x
commvault / commvault	-	11.0.x

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo