Vulnerability Details CVE-2021-37614
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 39.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021
- https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm
- https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm
- https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8
- https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021
- https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm
- https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm
- https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8
Products affected by CVE-2021-37614
-
cpe:2.3:a:progress:moveit_transfer:-
-
cpe:2.3:a:progress:moveit_transfer:2019.0.6
-
cpe:2.3:a:progress:moveit_transfer:2019.1
-
cpe:2.3:a:progress:moveit_transfer:2019.1.3
-
cpe:2.3:a:progress:moveit_transfer:2019.1.4
-
cpe:2.3:a:progress:moveit_transfer:2019.1.5
-
cpe:2.3:a:progress:moveit_transfer:2019.2
-
cpe:2.3:a:progress:moveit_transfer:2019.2.1
-
cpe:2.3:a:progress:moveit_transfer:2019.2.2
-
cpe:2.3:a:progress:moveit_transfer:2020.0
-
cpe:2.3:a:progress:moveit_transfer:2020.0.5
-
cpe:2.3:a:progress:moveit_transfer:2020.1
-
cpe:2.3:a:progress:moveit_transfer:2020.1.1
-
cpe:2.3:a:progress:moveit_transfer:2020.1.4
-
cpe:2.3:a:progress:moveit_transfer:2021.0
-
cpe:2.3:a:progress:moveit_transfer:2021.0.1