CVE-2023-36932 - OpenCVE

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Progress	Moveit Transfer

Configuration 1 [-]

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

References

Link	Resource
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023	Release Notes Vendor Advisory
https://www.progress.com/moveit	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-07-05T00:00:00

Updated: 2023-07-05T00:00:00

Reserved: 2023-06-28T00:00:00

Link: CVE-2023-36932

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-05T16:15:09.687

Modified: 2023-07-12T15:52:56.957

Link: CVE-2023-36932

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "20EBACE7-9CEE-460F-9762-6B390E992E9E", "versionEndExcluding": "2020.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4FAFFDF-9990-405B-9FC6-77FAB1D580DD", "versionEndExcluding": "2021.0.9", "versionStartIncluding": "2021.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D6B93D5-C069-45A3-ABC5-26B2EBBAE204", "versionEndExcluding": "2021.1.7", "versionStartIncluding": "2021.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D02CADA-98EC-4CBA-95A0-7D4064BD5445", "versionEndExcluding": "2022.0.7", "versionStartIncluding": "2022.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "9463F53E-4941-4658-AB1D-0056B4E076F5", "versionEndExcluding": "2022.1.8", "versionStartIncluding": "2022.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "E19DF4E3-FAF8-4A4B-B2C5-7013BABBDBB5", "versionEndExcluding": "2023.0.4", "versionStartIncluding": "2023.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."}], "id": "CVE-2023-36932", "lastModified": "2023-07-12T15:52:56.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-05T16:15:09.687", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}