Vulnerability Details CVE-2021-38159
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.034
EPSS Ranking 86.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2021-38159
-
cpe:2.3:a:progress:moveit_transfer:-
-
cpe:2.3:a:progress:moveit_transfer:2019.0.6
-
cpe:2.3:a:progress:moveit_transfer:2019.0.7
-
cpe:2.3:a:progress:moveit_transfer:2019.1
-
cpe:2.3:a:progress:moveit_transfer:2019.1.3
-
cpe:2.3:a:progress:moveit_transfer:2019.1.4
-
cpe:2.3:a:progress:moveit_transfer:2019.1.5
-
cpe:2.3:a:progress:moveit_transfer:2019.1.6
-
cpe:2.3:a:progress:moveit_transfer:2019.2
-
cpe:2.3:a:progress:moveit_transfer:2019.2.1
-
cpe:2.3:a:progress:moveit_transfer:2019.2.2
-
cpe:2.3:a:progress:moveit_transfer:2019.2.3
-
cpe:2.3:a:progress:moveit_transfer:2020.0
-
cpe:2.3:a:progress:moveit_transfer:2020.0.5
-
cpe:2.3:a:progress:moveit_transfer:2020.0.6
-
cpe:2.3:a:progress:moveit_transfer:2020.1
-
cpe:2.3:a:progress:moveit_transfer:2020.1.1
-
cpe:2.3:a:progress:moveit_transfer:2020.1.4
-
cpe:2.3:a:progress:moveit_transfer:2020.1.5
-
cpe:2.3:a:progress:moveit_transfer:2021.0
-
cpe:2.3:a:progress:moveit_transfer:2021.0.1
-
cpe:2.3:a:progress:moveit_transfer:2021.0.3