Skip to main content Skip to local navigation

MOVEit Transfer Vulnerability – CVE-2023-35708

 

A picture containing text  Description automatically generated

 

Service Advisory

 

The Progress Software Corporation released a security advisory of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment.  The vulnerability CVE-2023-34362 is actively being exploited. 

 

Please notify infosec@yorku.ca immediately if you are using MOVEit.

 

Severity level:

CVSS Score: 9.8/ Critical

 

CVE Details:

CVE-2023-34362

The MOVEit Transfer vulnerability covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer's database and allow them to infer information about the internals of the database and alter or delete their elements.

 

CVE-2023-35036

Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

 

CVE-2023-35708

A third vulnerability was identified where an unauthenticated remote attacker could exploit the latest release of MOVEit Transfer to steal or modify data by exploiting the SQL injection vulnerability.

 

Affected Versions: 

All MOVEit Transfer versions are affected by this vulnerability.

 

Impact:

Attacker can gain unauthorized access to the MOVEit Transfer database.

 

Resolution:

Appy the patches available for the MOVEit Transfer Critical Vulnerability or follow the remediation steps.

 

Reference:

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

https://www.cyber.gc.ca/en/alerts-advisories/moveit-transfer-security-advisory-av23-340

 

UIT Information Security

 

 

 

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: York University, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web