Progress Software has issued an urgent warning to customers about newly uncovered critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution. These vulnerabilities could potentially allow attackers to pilfer information from unsuspecting customers’ databases.
The Critical-Severity Vulnerability: CVE-2023-36934
The vulnerability labelled as CVE-2023-36934 poses a critical threat to several versions of Progress MOVEit Transfer. Specifically, this affects releases prior to 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The threat here is a SQL injection vulnerability within the MOVEit Transfer web application.
An unauthenticated attacker could potentially exploit this vulnerability to gain unauthorized access to the MOVEit Transfer database. This could be achieved by submitting a specially crafted payload to a MOVEit Transfer application endpoint, resulting in unauthorized modification and exposure of MOVEit database content.
Guy Lederfein of Trend Micro, working with the Zero Day Initiative, is credited with discovering this critical vulnerability.
The High-Severity Vulnerabilities: CVE-2023-36932 and CVE-2023-36933
The vulnerabilities identified as CVE-2023-36932 and CVE-2023-36933 are considered of high severity. Like the previous vulnerability, CVE-2023-36932 affects multiple versions of MOVEit Transfer released before specific versions. However, in this case, an authenticated attacker could exploit the vulnerability by injecting a malicious payload, leading to unauthorized access, modification, and disclosure of database content. HackerOne’s cchav3z, q5ca, and nicolas_zilio are credited with this discovery.
CVE-2023-36933, the second high-stakes threat, can trigger an unhandled exception in the MOVEit Transfer application, causing it to terminate unexpectedly. This vulnerability affects versions of MOVEit Transfer released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The discovery of this vulnerability is credited to HackerOne’s jameshorseman.
Below are the current list of MOVEit Transfer versions that have a patch available for these new vulnerabilities
|Affected Version||Fixed Version||Documentation||Release Notes|
|MOVEit Transfer 2020.1.6 (12.1.6) or later||MOVEit Transfer 2020.1.11 (12.1.11)||Download the patch at the link in the Fixed Version column and see the readme.txt file in the zip file for instructions||MOVEit Transfer 2020.1.11 Release Notes|
|MOVEit Transfer 2020.0.x (12.0.x) or older||Must upgrade to a supported version||See MOVEit Transfer Upgrade|
and Migration Guide