CVE-2023-36934
Published: 05 July 2023
Summary
CVE-2023-36934 is a critical-severity SQL Injection (CWE-89) vulnerability in Progress Moveit Transfer. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-36934 is a SQL injection vulnerability in the Progress MOVEit Transfer web application, present in all releases before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The flaw exists in an application endpoint and carries a CVSS 3.1 score of 9.1, reflecting network-accessible attack complexity that requires no authentication or user interaction.
An unauthenticated remote attacker can submit a specially crafted payload to the affected endpoint, enabling arbitrary modification and disclosure of MOVEit Transfer database contents. The weakness is tracked as CWE-89.
Progress security advisories direct customers to install the July 2023 service packs that remediate the issue across the listed branches. The associated EPSS score currently stands at 0.9128 with a recorded peak of 0.9210.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40854
Vulnerability details
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized…
more
access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.