A SQL injection vulnerability [CVE-2023-34362] was found in Progress Software’s MOVEit Transfer web application and announced on May 31, 2023.
The vulnerability could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Refer to Progress Software’s post for more information:
Progress Community, “MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362)”
Affected Versions
- 2021.0.6 (13.0.6)
- 2021.1.4 (13.1.4)
- 2022.0.4 (14.0.4)
- 2022.1.5 (14.1.5)
- 2023.0.1 (15.0.1)
What’s Available
- See potential exposure: The preliminary results of a product fingerprinting scan identifying internet-facing versions of the MOVEit Transfer product on IPs attributed to companies within your Bitsight portfolio. Contact your Bitsight Customer Success Manager or Bitsight Support to learn more.
- See related results in the Security Incidents risk vector based on news coverage about named victims and/or announcements from the victims themselves. Note that when it's clear from the disclosures that a victim was running their own installation of MOVEit Transfer, this will show up as a ratings-impacting Security Incident. In most cases, victims will be indirect (see origin) since their data was present on an associated company's installation, which are not ratings-impacting.
What’s Next
- We are refining the product fingerprinting scan to produce a higher confidence data set for inferring exposure to the vulnerability. We intend to make this data available in Vulnerability Detection during the week of June 12th.
- We are continuing investment in both our security research and product capabilities supporting vulnerability detection and response with the intention of enhancing our ability to enable rapid prioritization, analysis, and outreach to our customers in these scenarios.
- We are also investigating Huntress findings [CVE-2023-35036].
Feedback
0 comments
Please sign in to leave a comment.