Skip to main content
commvault.com commvault.com
Answer

Clarification on Security Updates and Maintenance Release versions site

  • July 22, 2025
  • 5 replies
  • 143 views
J
Byte
Forum|alt.badge.img+5

In the List of Updates for the various Maintenance Release versions, there is now a section at the top of the site there is a new table section showing Security Updates. For example, for Feature Release 32 the latest Maintenance Release is 11.32.106 and this site shows the updates:

https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_106.htm

Which shows this new table with three new security updates:

Security Updates

Issue Hotfix

Made changes to use v7 encryption instead of v3 encryption.

 12324

PSIRT fixes for REST API Qcommand and QAPI login.

 12323

Restricted public user access to APIs.

 12321

 

But what is confusing is whether these three Security Updates are only contained in release 11.32.106 or are they contained in any earlier maintenance releases? For example, the updates for 11.32.102 contains the same three security updates:

https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_102.htm

 

While 11.32.96 does not contain the Security Updates table:

https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_96.htm

 

As such, is it correct to say that the three security patches need to have to be upgraded to 11.32.102 to ensure they contain the three security patches? If that’s the case, then perhaps the Security Updates table should be located under the:

Included from Maintenance Release 11.32.### section instead.

Furthermore, this site doesn’t show the three Security Updates:

https://documentation.commvault.com/securityadvisories/

 

I would like some clarification if moving forward, I need to consult both websites for security patches. And within each Maintenance Release site, it should be clarified if the Security Updates is a “new” one or one that already existed for a previous Maintenance Release built.

 

Best answer by JSNOPUD

It looks this Security Advisory site:

https://documentation.commvault.com/securityadvisories/

 

Has finally listed the four Security Vulnerabilities:

CV_2025_08_1: Argument Injection Vulnerability in CommServe
CV_2025_08_2: Path Traversal Vulnerability
CV_2025_08_3: Unauthorized API Access Risk
CV_2025_08_4: Vulnerability in Initial Administrator Login Process
 

Which require an upgrade to at least 11.32.102 for to resolve the vulnerabilities.

 

And (hopefully) they address the same 3 Security Updates mentioned in section 11.32.102 at:

https://documentation.commvault.com/2023e/essential/files/service_pack/updates/11_32_112.htm

Jennifer Kelley
If you have a question or comment, please create a topic

5 replies

Jennifer Kelley
Vaulter
Forum|alt.badge.img+17

Hi ​@JSNOPUD thanks for the question. I am checking with our docs team on your clarifications here. cc ​@Sougato Roy 

Sougato Roy
J
Byte
Forum|alt.badge.img+5
  • JSNOPUD
  • Author
  • Byte
  • July 24, 2025

It looks like this site has just been updated:

https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_106.htm

 

To reflect that the three Security Updates were introduced in 11.32.102 as they now appear under that section:

 

Hide Included from Maintenance Release 11.32.102 (Jun 02, 2025)

Security Updates

Issue Hotfix

Made changes to use v7 encryption instead of v3 encryption.

 12324

PSIRT fixes for REST API Qcommand and QAPI login.

 12323

Restricted public user access to APIs.

 12321

 

Just for clarification, will these three new Security Updates expected to also appear at site:

https://documentation.commvault.com/securityadvisories/

Jennifer Kelley
Sougato Roy
Jennifer Kelley
Vaulter
Forum|alt.badge.img+17

Hi ​@JSNOPUD thanks for updating the thread and the feedback here. I connected with our docs team, their clarifications below and they updated the earlier service pack release docs as you noted. 

These three security updates are included in 11.32.102 and later.
(So yes to upgrading to that or subsequent Maintenance Release, and they’ve updated the page as noted. Thanks for flagging!)

R.e., Security Advisories page vs. Maintenance Release pages, we only list the resolved CU pack version in the security advisories page. Individual updates in the CU pack are listed in the readme page.

Our docs team is currently working on organizing the readme page to better structure updates with the goal of grouping them into Security Updates and Software Updates, and potentially further subcategorizing by the CU pack version in which each update was originally introduced.

Jenn

Sougato Roy
J
Byte
Forum|alt.badge.img+5
  • JSNOPUD
  • Author
  • Byte
  • July 24, 2025

Thanks for your response, Jennifer.

 

Just for clarification, what exactly is a CU pack?

 

Currently in my organization, priority for upgrades are given to builds that have security updates so we will not immediately upgrade to the latest maintenance release unless there are security updates.

 

Previously, I’ve always only consulted this site:

https://documentation.commvault.com/securityadvisories/

 

And for Feature Release 11.32, it looks like according to that site last build containing security updates is 11.32.94:

https://documentation.commvault.com/securityadvisories/CV_2025_04_2.html

 

And certain advisories give more specific CVE and CVSS score information such as this one:

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

 

This information is documented in my organization whenever we install the security updates. Whereas this site aside from listing the security updates doesn’t show more specific information such as CVE and CVSS information: https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_102.htm

 

Just for clarification once again, suppose I am running 11.32.94, then moving forward I should consult the Maintenance Release builds (latest https://documentation.commvault.com/2024e/essential/files/service_pack/updates/11_32_106.htm) to see if there are Security Updates and not just consult site:

https://documentation.commvault.com/securityadvisories/

 

Or does site:

https://documentation.commvault.com/securityadvisories/

 

still suffice in finding out if there are any new security updates?

J
Byte
Forum|alt.badge.img+5
  • JSNOPUD
  • Author
  • Byte
  • Answer
  • August 20, 2025

It looks this Security Advisory site:

https://documentation.commvault.com/securityadvisories/

 

Has finally listed the four Security Vulnerabilities:

CV_2025_08_1: Argument Injection Vulnerability in CommServe
CV_2025_08_2: Path Traversal Vulnerability
CV_2025_08_3: Unauthorized API Access Risk
CV_2025_08_4: Vulnerability in Initial Administrator Login Process
 

Which require an upgrade to at least 11.32.102 for to resolve the vulnerabilities.

 

And (hopefully) they address the same 3 Security Updates mentioned in section 11.32.102 at:

https://documentation.commvault.com/2023e/essential/files/service_pack/updates/11_32_112.htm

Terms & ConditionsCookie settingsAccessibility statement