CVE-2021-33894

Name of the Vulnerable Software and Affected Versions: MOVEit Transfer versions 2019.0.0 through 2019.0.5 MOVEit Transfer versions 2019.1.0 through 2019.1.4 MOVEit Transfer versions 2019.2.0 through 2019.2.1 MOVEit Transfer versions 2020.0.0 through 2020.0.4 MOVEit Transfer versions 2020.1.0 through 2020.1.3 MOVEit Transfer versions 2021.0.0

Description: A SQL injection issue exists in the MOVEit Transfer web app, specifically in SILUtility.vb within MOVEit.DMZ.WebApp. This could allow an authenticated attacker to gain unauthorized access to the database, potentially inferring database structure and contents or executing SQL statements to alter or delete database elements, depending on the database engine used, such as MySQL, Microsoft SQL Server, or Azure SQL.

Recommendations: For MOVEit Transfer versions 2019.0.0 through 2019.0.5, update to version 2019.0.6 or later. For MOVEit Transfer versions 2019.1.0 through 2019.1.4, update to version 2019.1.5 or later. For MOVEit Transfer versions 2019.2.0 through 2019.2.1, update to version 2019.2.2 or later. For MOVEit Transfer versions 2020.0.0 through 2020.0.4, update to version 2020.0.5 or later. For MOVEit Transfer versions 2020.1.0 through 2020.1.3, update to version 2020.1.4 or later. For MOVEit Transfer versions 2021.0.0, update to version 2021.0.1 or later.