SQL Injection Vulnerability in MOVEit Transfer by Progress
CVE-2021-38159

9.8CRITICAL

Key Information:

Vendor: Progress
Status: Moveit Transfer
Vendor: CVE Published:; 7 August 2021

What is CVE-2021-38159?

In various versions of MOVEit Transfer prior to 2021.0.4, an SQL injection vulnerability exists that enables unauthenticated remote attackers to exploit the web application. By crafting specific strings directed at unique MOVEit Transfer transaction types, attackers could retrieve sensitive information about the database's structure and contents or potentially execute commands that could alter or delete database elements. This vulnerability underscores the importance of updating to the latest security fixes to mitigate risks.

References

https://www.progress.com/moveit

x_refsource_MISC

https://community.progress.com/s/article/MOVEit-Transfer-...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2021
Vulnerability Reserved
Aug 7, 2021