Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault

Two pre-authentication Remote Code Execution (RCE) chains were discovered in Commvault version 11.38.20. The first chain, applicable to any unpatched instance, allows for authentication bypass and RCE via argument injection in the qlogin QCommand and absolute path traversal in QCommand output writer. The second chain, requiring specific conditions, leverages authentication bypass and privilege escalation to achieve RCE.