TROYANOSYVIRUS
Voltar para CVEs

CVE-2023-34362

CRITICALCISA KEV
9.8

Descricao

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Detalhes CVE

Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado6/2/2023
Ultima modificacao10/27/2025
Fontekev
Avistamentos honeypot0

CISA KEV

FornecedorProgress
ProdutoMOVEit Transfer
Nome da vulnerabilidadeProgress MOVEit Transfer SQL Injection Vulnerability
Data inclusao KEV2023-06-02
Prazo de remediacao2023-06-23
Uso em ransomwareKnown

Produtos afetados

progress:moveit_cloudprogress:moveit_transfer

Fraquezas (CWE)

CWE-89CWE-89

Referencias

http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html(cve@mitre.org)
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023(cve@mitre.org)
http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-34362(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.