CVE-2023-42660 - OpenCVE

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Progress	Moveit Transfer

Configuration 1 [-]

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

References

Link	Resource
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023	Vendor Advisory
https://www.progress.com/moveit	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2023-09-20T16:04:54.432Z

Updated: 2023-09-20T16:15:03.255Z

Reserved: 2023-09-12T13:30:29.571Z

Link: CVE-2023-42660

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-20T17:15:11.550

Modified: 2023-09-22T18:31:51.640

Link: CVE-2023-42660

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-42660", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2023-09-12T13:30:29.571Z", "datePublished": "2023-09-20T16:04:54.432Z", "dateUpdated": "2023-09-20T16:15:03.255Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["MOVEit Transfer Machine Interface"], "product": "MOVEit Transfer", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2023.0.6 (15.0.6)", "status": "affected", "version": "2023.0.0 (15.0.0)", "versionType": "semver"}, {"lessThan": "2022.1.9 (14.1.9)", "status": "affected", "version": "2022.1.0 (14.1.0)", "versionType": "semver"}, {"lessThan": "2022.0.8 (14.0.8)", "status": "affected", "version": "2022.0.0 (14.0.0)", "versionType": "semver"}, {"lessThan": "2021.1.8 (13.1.8)", "status": "affected", "version": "2021.1.0 (13.1.0)", "versionType": "semver"}]}], "datePublic": "2023-09-20T16:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.</span>\n\n"}], "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2023-09-20T16:15:03.255Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer Machine Interface SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6E9F262-3E55-48FF-94A0-09C0C80FE7C0", "versionEndExcluding": "2021.1.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1FFF5B1-D887-48EA-BFD1-FBD9F699DEA3", "versionEndExcluding": "2022.0.8", "versionStartIncluding": "2022.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "64138C94-BAB8-45D2-93A1-31FC4D4F1E41", "versionEndExcluding": "2022.1.9", "versionStartIncluding": "2022.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "C35AF1A0-05E8-4F69-9F99-91925C490EE9", "versionEndExcluding": "2023.0.6", "versionStartIncluding": "2023.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"}, {"lang": "es", "value": "En las versiones de MOVEit Transfer lanzadas antes de 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en la interfaz de la m\u00e1quina MOVEit Transfer que podr\u00eda permitir que un atacante autenticado obtenga acceso no autorizado a la base de datos de MOVEit Transfer. Un atacante podr\u00eda enviar un payload manipulado a la interfaz de la m\u00e1quina MOVEit Transfer, lo que podr\u00eda provocar la modificaci\u00f3n y divulgaci\u00f3n del contenido de la base de datos de MOVEit.\n"}], "id": "CVE-2023-42660", "lastModified": "2023-09-22T18:31:51.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2023-09-20T17:15:11.550", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@progress.com", "type": "Secondary"}]}