CVE-2023-42660 - OpenCVE

In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Progress	Moveit Transfer

Configuration 1 [-]

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

No data.

References

Link	Providers
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023
https://www.progress.com/moveit

History

No history.

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2023-09-20T16:04:54.432Z

Updated: 2024-08-02T19:23:40.129Z

Reserved: 2023-09-12T13:30:29.571Z

Link: CVE-2023-42660

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-20T17:15:11.550

Modified: 2023-09-22T18:31:51.640

Link: CVE-2023-42660

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42660", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2023-09-12T13:30:29.571Z", "datePublished": "2023-09-20T16:04:54.432Z", "dateUpdated": "2024-08-02T19:23:40.129Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["MOVEit Transfer Machine Interface"], "product": "MOVEit Transfer", "vendor": "Progress Software Corporation", "versions": [{"lessThan": "2023.0.6 (15.0.6)", "status": "affected", "version": "2023.0.0 (15.0.0)", "versionType": "semver"}, {"lessThan": "2022.1.9 (14.1.9)", "status": "affected", "version": "2022.1.0 (14.1.0)", "versionType": "semver"}, {"lessThan": "2022.0.8 (14.0.8)", "status": "affected", "version": "2022.0.0 (14.0.0)", "versionType": "semver"}, {"lessThan": "2021.1.8 (13.1.8)", "status": "affected", "version": "2021.1.0 (13.1.0)", "versionType": "semver"}]}], "datePublic": "2023-09-20T16:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.</span>\n\n"}], "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2023-09-20T16:15:03.255Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer Machine Interface SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:40.129Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6E9F262-3E55-48FF-94A0-09C0C80FE7C0", "versionEndExcluding": "2021.1.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1FFF5B1-D887-48EA-BFD1-FBD9F699DEA3", "versionEndExcluding": "2022.0.8", "versionStartIncluding": "2022.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "64138C94-BAB8-45D2-93A1-31FC4D4F1E41", "versionEndExcluding": "2022.1.9", "versionStartIncluding": "2022.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "C35AF1A0-05E8-4F69-9F99-91925C490EE9", "versionEndExcluding": "2023.0.6", "versionStartIncluding": "2023.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"}, {"lang": "es", "value": "En las versiones de MOVEit Transfer lanzadas antes de 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), se ha identificado una vulnerabilidad de inyecci\u00f3n SQL en la interfaz de la m\u00e1quina MOVEit Transfer que podr\u00eda permitir que un atacante autenticado obtenga acceso no autorizado a la base de datos de MOVEit Transfer. Un atacante podr\u00eda enviar un payload manipulado a la interfaz de la m\u00e1quina MOVEit Transfer, lo que podr\u00eda provocar la modificaci\u00f3n y divulgaci\u00f3n del contenido de la base de datos de MOVEit.\n"}], "id": "CVE-2023-42660", "lastModified": "2023-09-22T18:31:51.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2023-09-20T17:15:11.550", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@progress.com", "type": "Secondary"}]}