Executive Summary

Title Commvault Edge contains a buffer overflow vulnerability
Name VU#214283 First vendor Publication 2017-03-16
Vendor VU-CERT Last vendor Modification 2017-03-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#214283

Commvault Edge contains a buffer overflow vulnerability

Original Release date: 16 Mar 2017 | Last revised: 16 Mar 2017


Commvault Edge, version 11 SP6 (, is vulnerable to a stack-based buffer overflow vulnerability.


CWE-121: Stack-based Buffer Overflow - CVE-2017-3195

A stack based buffer overflow in the Commvault Edge Communication Service (cvd) allows remote attackers to execute arbitrary code via crafted packets, exploiting weaknesses in the key exchange mechanism. Access to TCP port 8400 (by default) on the target machine is necessary to exploit this vulnerability.


An unauthenticated remote attacker can execute arbitrary code with root/SYSTEM privileges.


Apply an update
Commvault has provided fixes in the latest service pack (SP7 and above) to address the vulnerability. SP6 customers can use hotfix 590.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CommvaultAffected24 Jan 201709 Mar 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://kb.commvault.com/article/SEC0013
  • https://cwe.mitre.org/data/definitions/121.html


Thanks to Claudio Moletta for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs:CVE-2017-3195
  • Date Public:15 Mar 2017
  • Date First Published:16 Mar 2017
  • Date Last Updated:16 Mar 2017
  • Document Revision:8


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/214283

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

Application 7

Alert History

If you want to see full details history, please login or register.
Date Informations
2018-01-02 21:24:25
  • Multiple Updates
2017-12-16 09:23:30
  • Multiple Updates
2017-03-16 17:22:41
  • First insertion