A critical-severity SQL injection flaw and two other high-severity vulnerabilities have been fixed in MOVEit Transfer, the software at the focus of the recent widespread Clop ransomware outbreaks.
Progress Software detected SQL injection vulnerability, tracked as CVE-2023-36934, which can allow unauthenticated attackers access to the MOVEit Transfer database without authorization.
SQL injection vulnerabilities are a well-known and severe security weakness that allows attackers to modify databases and run any code they want.
Attackers can deliver specially crafted payloads to specific endpoints of the compromised application, changing or exposing sensitive data in the database.
Details of the Critical and High-Severity Vulnerabilities
The critical-severity bug identified as CVE-2023-36934 is so serious that it may be exploited without logging in. As a result, attackers without proper credentials may be able to take advantage of the vulnerability.
“A SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” reads Progress’s security advisory.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”
A high-severity rating was given to the next SQL injection bug, CVE-2023-36932, because attackers might utilize it to their advantage after authentication.
“Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database,” reads the security advisory.
The CVE-2023-36933 vulnerability, a high-severity issue that enables attackers to force an unexpected program termination, is the third vulnerability fixed by this patch.
Affected Versions
The two security flaws related to SQL injection affect many MOVEit Transfer versions, including 12.1.10 and earlier, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier.
Versions 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and earlier, 14.1.7 and earlier, and 15.0.3 and earlier are all affected due to CVE 2023-36933, high-severity flaw.
For every major MOVEit Transfer version, Progress Software has made the required upgrades accessible. To mitigate the risks posed by these vulnerabilities, users are strongly encouraged to update to the most recent version of MOVEit Transfer.