PT-2019-14650 · Microsoft+2 · Azure Sql+3
Published
2019-09-24
·
Updated
2020-04-14
·
CVE-2019-16383
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Progress MOVEit Transfer versions 2018 SP2 before 10.2.4
Progress MOVEit Transfer versions 2019 before 11.0.2
Progress MOVEit Transfer versions 2019.1 before 11.1.1
Description
The issue allows an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to infer information about the structure and contents of the database, or may be able to alter the database via the REST API.
Recommendations
For Progress MOVEit Transfer 2018 SP2, update to version 10.2.4 or later.
For Progress MOVEit Transfer 2019, update to version 11.0.2 or later.
For Progress MOVEit Transfer 2019.1, update to version 11.1.1 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Azure Sql
Moveit Transfer
Sql Server
Mysql Server