The MOVEit Transfer web application by Progress Software has multiple SQL injection vulnerabilities [CVE-2023-34362, CVE-2023-35036, & CVE-2023-35708].
These could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Affected Versions
- 2021.0.6 (13.0.6)
- 2021.1.4 (13.1.4)
- 2022.0.4 (14.0.4)
- 2022.1.5 (14.1.5)
- 2023.0.1 (15.0.1)
Remediation & Mitigation
- Search for “MOVEit” or by CVE ID at the top-right in Vulnerability Detection to see currently and previously impacted companies. Select a company to view evidence details regarding their exposure.
- See related results in the Security Incidents risk vector based on news coverage about named victims and/or announcements from the victims themselves. Note that when it's clear from the disclosures that a victim was running their own installation of MOVEit Transfer, this will show up as a ratings-impacting Security Incident. In most cases, victims will be indirect (see origin) since their data was present on an associated company's installation, which are not ratings-impacting.
Updates
- June 16, 2023 – Vulnerability Detection available for CVE-2023-34362.
- June 9, 2023 – CVE-2023-34362 under investigation.
- June 26, 2023: CVE-2023-35036 now searchable.
- June 23, 2023: CVE-2023-35708 now searchable.
- June 16, 2023: Vulnerability Detection available for CVE-2023-34362.
Feedback
0 comments
Please sign in to leave a comment.