cnvd - cnvd-2025-18249

CNVD-2025-18249

Vulnerability from cnvd - Published: 2025-08-12

Title

Dell Avamar SQL注入漏洞（CNVD-2025-18249）

Description

Dell Avamar是一款数据备份和恢复软件。 Dell Avamar中存在SQL注入漏洞。该漏洞源于对SQL命令中使用的特殊元素缺乏适当的中和。攻击者可以利用该漏洞执行命令。

Severity

高

Patch Name

Dell Avamar SQL注入漏洞（CNVD-2025-18249）的补丁

Patch Description

Dell Avamar是一款数据备份和恢复软件。 Dell Avamar中存在SQL注入漏洞。该漏洞源于对SQL命令中使用的特殊元素缺乏适当的中和。攻击者可以利用该漏洞执行命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已提供漏洞修复方案，请关注厂商主页更新： https://www.dell.com

Reference

https://www.dell.com/support/kbdoc/en-us/000258636/dsa-2024-489-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-security-update-for-multiple-vulnerabilities

Impacted products

Name
DELL Dell Avamar

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-47977",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-47977"
    }
  },
  "description": "Dell Avamar\u662f\u4e00\u6b3e\u6570\u636e\u5907\u4efd\u548c\u6062\u590d\u8f6f\u4ef6\u3002\n\nDell Avamar\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9SQL\u547d\u4ee4\u4e2d\u4f7f\u7528\u7684\u7279\u6b8a\u5143\u7d20\u7f3a\u4e4f\u9002\u5f53\u7684\u4e2d\u548c\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.dell.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-18249",
  "openTime": "2025-08-12",
  "patchDescription": "Dell Avamar\u662f\u4e00\u6b3e\u6570\u636e\u5907\u4efd\u548c\u6062\u590d\u8f6f\u4ef6\u3002\r\n\r\nDell Avamar\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9SQL\u547d\u4ee4\u4e2d\u4f7f\u7528\u7684\u7279\u6b8a\u5143\u7d20\u7f3a\u4e4f\u9002\u5f53\u7684\u4e2d\u548c\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell Avamar SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2025-18249\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "DELL Dell Avamar"
  },
  "referenceLink": "https://www.dell.com/support/kbdoc/en-us/000258636/dsa-2024-489-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-security-update-for-multiple-vulnerabilities",
  "serverity": "\u9ad8",
  "submitTime": "2024-12-13",
  "title": "Dell Avamar SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2025-18249\uff09"
}

CVE-2024-47977 (GCVE-0-2024-47977)

Vulnerability from cvelistv5 – Published: 2024-12-10 10:26 – Updated: 2025-08-04 18:39

Summary

Dell Avamar, versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, contains an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

dell

References

URL

Tags

https://www.dell.com/support/kbdoc/en-us/00025863…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Dell	Avamar	Affected: 19.4 Affected: 19.7 Affected: 19.8 Affected: 19.9 Affected: 19.10 Affected: 19.10SP1

Credits

Dell would like to thank Kentaro Kawane of GMO Cybersecurity by Ierae working with Trend Micro Zero Day Initiative for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47977",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-10T15:39:53.200938Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-10T17:16:20.020Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Avamar",
          "vendor": "Dell",
          "versions": [
            {
              "status": "affected",
              "version": "19.4"
            },
            {
              "status": "affected",
              "version": "19.7"
            },
            {
              "status": "affected",
              "version": "19.8"
            },
            {
              "status": "affected",
              "version": "19.9"
            },
            {
              "status": "affected",
              "version": "19.10"
            },
            {
              "status": "affected",
              "version": "19.10SP1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dell would like to thank Kentaro Kawane of GMO Cybersecurity by Ierae working with Trend Micro Zero Day Initiative for reporting this issue."
        }
      ],
      "datePublic": "2024-12-09T18:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell Avamar, versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, contains an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution."
            }
          ],
          "value": "Dell Avamar, versions prior to 19.12 with patch 338905, excluding 19.10 and 19.10SP1 with patch 338869, contains an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-04T18:39:35.486Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000258636/dsa-2024-489-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-security-update-for-multiple-vulnerabilities"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2024-47977",
    "datePublished": "2024-12-10T10:26:54.861Z",
    "dateReserved": "2024-10-08T04:36:39.201Z",
    "dateUpdated": "2025-08-04T18:39:35.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-18249

CVE-2024-47977 (GCVE-0-2024-47977)

Tags

Sightings

Nomenclature