vulnerability
Progress MOVEit Transfer: CVE-2023-34362: Improper Neutralization of Special Elements used in an SQL Command
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | May 31, 2023 | Jun 1, 2023 | Jun 21, 2023 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
May 31, 2023
Added
Jun 1, 2023
Modified
Jun 21, 2023
Description
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Solution
progress-moveit-transfer-upgrade-latest
References
- CVE-2023-34362
- https://attackerkb.com/topics/CVE-2023-34362
- URL-http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html
- URL-http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html
- URL-https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- CWE-89
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.