CVE-2021-37614
HIGHProgress MOVEit Transfer < 2019.0.7 - Authenticated SQL Injection via Transaction Type Strings
Title source: llmDescription
In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0.3), SQL injection in the MOVEit Transfer web application could allow an authenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.7 (11.0.7), 2019.1.6 (11.1.6), 2019.2.3 (11.2.3), 2020.0.6 (12.0.6), 2020.1.5 (12.1.5), and 2021.0.3 (13.0.3).
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-August-2021
Release Notes, Vendor Advisory x_refsource_misc
https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNotes/en/index.htm#48648.htm
Vendor Advisory x_refsource_misc
https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNotes/en/index.htm#link8
Release Notes, Vendor Advisory x_refsource_misc
https://docs.ipswitch.com/MOVEit/Transfer2020/ReleaseNotes/en/index.htm#50951.htm
Scores
CVSS v3
8.8
EPSS
0.0017
EPSS Percentile
38.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
progress/moveit_transfer
< 2019.0.7
Published
Aug 05, 2021
Tracked Since
Feb 18, 2026