CVE-2023-34362: Progress MOVEit Transfer SQL Injection Vulnerability
First published: Fri Jun 02 2023(Updated: )
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Progress Moveit Cloud | <14.0.5.45 | |
| Progress Moveit Cloud | >=14.1.0.0<14.1.6.97 | |
| Progress Moveit Cloud | >=15.0.0.0<15.0.2.39 | |
| Progress MOVEit Transfer | <=2020.1.6 | |
| Progress MOVEit Transfer | >=2021.0<2021.0.7 | |
| Progress MOVEit Transfer | >=2021.1.0<2021.1.5 | |
| Progress MOVEit Transfer | >=2022.0.0<2022.0.5 | |
| Progress MOVEit Transfer | >=2022.1.0<2022.1.6 | |
| Progress MOVEit Transfer | >=2023.0.0<2023.0.2 | |
| Progress MOVEit Transfer |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a.
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.
- https://www.zdnet.com/article/ransomware-leak-site-reports-rose-by-49-in-2023-but-there-is-good-news/
- https://www.theregister.com/2024/02/08/rust_software_memory_safety/
- https://www.theregister.com/2024/05/08/georgia_state_education_moveit/
Frequently Asked Questions
What is the vulnerability ID of Progress MOVEit Transfer SQL Injection Vulnerability?
The vulnerability ID of Progress MOVEit Transfer SQL Injection Vulnerability is CVE-2023-34362.
What is the affected software by CVE-2023-34362?
The affected software by CVE-2023-34362 is Progress MOVEit Transfer.
How severe is CVE-2023-34362?
CVE-2023-34362 is a SQL injection vulnerability in Progress MOVEit Transfer which could allow an unauthenticated attacker to gain access to the application's database.
How can I fix CVE-2023-34362?
To fix CVE-2023-34362, it is recommended to upgrade to Progress MOVEit Transfer versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), or 2023.0.1 (15.0.1) where the vulnerability is patched.
Where can I find more information about CVE-2023-34362?
You can find more information about CVE-2023-34362 in the following references: [1] [2] [3].
- collector/nvd-latest
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/severity
- agent/title
- agent/author
- agent/description
- collector/zdnet-article
- source/ZDNet
- alias/CVE-2023-0669
- alias/CVE-2023-34362
- alias/CVE-2023-35036
- alias/CVE-2023-35708
- alias/CVE-2021-21974
- agent/weakness
- agent/softwarecombine
- collector/the-register
- source/The Register
- alias/CVE-2023-33246
- alias/CVE-2023-22515
- zeroday/true
- agent/news-ai
- agent/references
- agent/tags
- agent/event
- vendor/progress
- canonical/progress moveit cloud
- version/progress moveit cloud/14.1.0.0
- version/progress moveit cloud/15.0.0.0
- canonical/progress moveit transfer
- version/progress moveit transfer/2020.1.6
- version/progress moveit transfer/2021.0
- version/progress moveit transfer/2021.1.0
- version/progress moveit transfer/2022.0.0
- version/progress moveit transfer/2022.1.0
- version/progress moveit transfer/2023.0.0