CVE-2023-36934: 
MOVEit Transfer vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2023-36934) was identified in the MOVEit Transfer web application, discovered in July 2023. The vulnerability affects MOVEit Transfer versions before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). This vulnerability could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database (NVD, CVE).

The vulnerability is classified as a SQL injection vulnerability (CWE-89) with a CVSS v3.1 base score of 9.1 (CRITICAL). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality (C:H) and integrity (I:H), but no impact on availability (A:N) (NVD).

An attacker exploiting this vulnerability could submit a crafted payload to a MOVEit Transfer application endpoint, potentially resulting in modification and disclosure of MOVEit database content. This could lead to unauthorized access to sensitive data within the MOVEit Transfer database (Arctic Wolf).

Progress Software has released security patches for all affected versions of MOVEit Transfer. Organizations running version 2020.1.6 can utilize patched DLLs as a drop-in patch. Users running MOVEit Transfer 2020.0.x or older versions must upgrade to a supported version. The patches also address two other high-severity vulnerabilities: CVE-2023-36932 and CVE-2023-36933 (Progress).