Impacted Products Product Platforms Affected Versions Resolved Version Status Commvault Linux, Windows 11.38.0 - 11.38.19 11.38.20 Resolved Resolution This vulnerability impacts only the 11.38 Innovation Release and has been resolved in the following Innovation Update releases along with additional updates. All other versions are not affected. 11.38.20, with the following additional updates: SP38-CU20-433 SP38-CU20-436 11.38.25, with the following additional updates: SP38-CU25-434 SP38-CU25-438

Notices where this attachment appears

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 08-May-2025 13:25:43 JST Will Dormann

   in reply to

   Oh, wow.

   Only after pestering the Commvault PSIRT did they update the language of their advisory.

   While it still incorrectly says that 11.38.0 - 11.38.19 are affected and that 11.38.20 is resolved (it is not), the've added a section below this misinformation to convey the actual state of the world:

   11.38.20 is only patched if it has the SP38-CU20-433 and SP38-CU20-436 additional updates installed.

   And 11.38.25 is only patched if it has the SP38-CU25-434 and SP38-CU25-438 additional updates installed.

   I cannot think of a behavior that is more vindictive to their customers to botch language in an advisory so bad, and also to not bother bumping release versions for the fixes for a CVSS 10 EITW vulnerability. 🤦♂️