CVE-2019-18464
Current Description
In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0 before 11.0.4 (2019.0.4), and 11.1 before 11.1.3 (2019.1.3), multiple SQL Injection vulnerabilities have been found in the REST API that could allow an unauthenticated attacker to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database or may be able to alter the database.
Basic Data
| Published | October 31, 2019 |
|---|
| Last Modified | November 06, 2019 |
|---|
| Assigner | cve@mitre.org |
|---|
| Data Type | CVE |
|---|
| Data Format | MITRE |
|---|
| Data Version | 4.0 |
|---|
| Problem Type | CWE-89 |
|---|
| CVE Data Version | 4.0 |
|---|
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:N/C:P/I:P/A:P |
|---|
| CVSS 2 - Access Vector | NETWORK |
|---|
| CVSS 2 - Access Complexity | LOW |
|---|
| CVSS 2 - Authentication | NONE |
|---|
| CVSS 2 - Confidentiality Impact | PARTIAL |
|---|
| CVSS 2 - Availability Impact | PARTIAL |
|---|
| CVSS 2 - Base Score | 7.5 |
|---|
| Severity | HIGH |
|---|
| Exploitability Score | 10.0 |
|---|
| Impact Score | 6.4 |
|---|
| Obtain All Privilege | false |
|---|
| Obtain User Privilege | false |
|---|
| Obtain Other Privilege | false |
|---|
Base Metric V3
No data provided.
Configurations
-
OR - Configuration 1
| Cpe Version | Part | Vendor | Product | Version | Update | Edition | Language | SW Edition | Target SW | Target HW | Other | Version Start Including | Version End Including | Version Start Excluding | Version End Excluding |
|---|
| 2.3 | Application | Ipswitch | Moveit Transfer | * | * | * | * | * | * | * | * | 10.2.0 | � | � | 10.2.6 |
| 2.3 | Application | Ipswitch | Moveit Transfer | * | * | * | * | * | * | * | * | 11.0 | � | � | 11.0.4 |
| 2.3 | Application | Ipswitch | Moveit Transfer | * | * | * | * | * | * | * | * | 11.1 | � | � | 11.1.3 |
Vulnerable Software List
References
| Name | Source | URL | Tags |
|---|
| https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability-2 | https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability-2 | CONFIRM | Patch Vendor Advisory |
| https://docs.ipswitch.com/MOVEit/Transfer2018SP2/ReleaseNotes/en/index.htm#46490.htm | https://docs.ipswitch.com/MOVEit/Transfer2018SP2/ReleaseNotes/en/index.htm#46490.htm | CONFIRM | Release Notes Vendor Advisory |
| https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm | CONFIRM | Release Notes Vendor Advisory |
| https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm | https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm | CONFIRM | Release Notes Vendor Advisory |
Follow @discotekdotca