Vulnerability-Lookup

CNVD-2020-19007

Vulnerability from cnvd - Published: 2020-03-24

Title

Progress Software MOVEit Transfer SQL注入漏洞（CNVD-2020-19007）

Description

Progress Software MOVEit Transfer是美国Progress Software公司的一套文件传输软件。 Progress Software MOVEit Transfer 2019.1.4之前的2019.1版本和2019.2.1之前的2019.2版本中的REST API存在SQL注入漏洞，攻击者可利用该漏洞访问MOVEit Transfer数据库，并可能推测出数据库的结构和内容，执行SQL语句。

Severity

中

Patch Name

Progress Software MOVEit Transfer SQL注入漏洞（CNVD-2020-19007）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8611

Impacted products

Name
['Progress Software Progress Software MOVEit Transfer 2019.1，<2019.1.4', 'Progress Software Progress Software MOVEit Transfer 2019.2，<2019.2.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8611"
    }
  },
  "description": "Progress Software MOVEit Transfer\u662f\u7f8e\u56fdProgress Software\u516c\u53f8\u7684\u4e00\u5957\u6587\u4ef6\u4f20\u8f93\u8f6f\u4ef6\u3002\n\nProgress Software MOVEit Transfer 2019.1.4\u4e4b\u524d\u76842019.1\u7248\u672c\u548c2019.2.1\u4e4b\u524d\u76842019.2\u7248\u672c\u4e2d\u7684REST API\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95eeMOVEit Transfer\u6570\u636e\u5e93\uff0c\u5e76\u53ef\u80fd\u63a8\u6d4b\u51fa\u6570\u636e\u5e93\u7684\u7ed3\u6784\u548c\u5185\u5bb9\uff0c\u6267\u884cSQL\u8bed\u53e5\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-19007",
  "openTime": "2020-03-24",
  "patchDescription": "Progress Software MOVEit Transfer\u662f\u7f8e\u56fdProgress Software\u516c\u53f8\u7684\u4e00\u5957\u6587\u4ef6\u4f20\u8f93\u8f6f\u4ef6\u3002\r\n\r\nProgress Software MOVEit Transfer 2019.1.4\u4e4b\u524d\u76842019.1\u7248\u672c\u548c2019.2.1\u4e4b\u524d\u76842019.2\u7248\u672c\u4e2d\u7684REST API\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95eeMOVEit Transfer\u6570\u636e\u5e93\uff0c\u5e76\u53ef\u80fd\u63a8\u6d4b\u51fa\u6570\u636e\u5e93\u7684\u7ed3\u6784\u548c\u5185\u5bb9\uff0c\u6267\u884cSQL\u8bed\u53e5\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Progress Software MOVEit Transfer SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-19007\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Progress Software   Progress Software MOVEit Transfer 2019.1\uff0c\u003c2019.1.4",
      "Progress Software   Progress Software MOVEit Transfer 2019.2\uff0c\u003c2019.2.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8611",
  "serverity": "\u4e2d",
  "submitTime": "2020-02-17",
  "title": "Progress Software MOVEit Transfer SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-19007\uff09"
}

CVE-2020-8611 (GCVE-0-2020-8611)

Vulnerability from cvelistv5 – Published: 2020-02-14 17:59 – Updated: 2024-08-04 10:03

Summary

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer's database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

4 references

URL	Tags
https://docs.ipswitch.com/MOVEit/Transfer2019_1/R…	x_refsource_CONFIRM
https://community.ipswitch.com/s/article/MOVEit-T…	x_refsource_MISC
https://docs.ipswitch.com/MOVEit/Transfer2019_2/R…	x_refsource_CONFIRM
https://status.moveitcloud.com/	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:03:46.269Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://status.moveitcloud.com/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer\u0027s database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-14T17:59:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://status.moveitcloud.com/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-8611",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, multiple SQL Injection vulnerabilities have been found in the REST API that could allow an authenticated attacker to gain unauthorized access to MOVEit Transfer\u0027s database via the REST API. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or destroy database elements."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm",
              "refsource": "CONFIRM",
              "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm"
            },
            {
              "name": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020",
              "refsource": "MISC",
              "url": "https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020"
            },
            {
              "name": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm",
              "refsource": "CONFIRM",
              "url": "https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm"
            },
            {
              "name": "https://status.moveitcloud.com/",
              "refsource": "CONFIRM",
              "url": "https://status.moveitcloud.com/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-8611",
    "datePublished": "2020-02-14T17:59:01.000Z",
    "dateReserved": "2020-02-04T00:00:00.000Z",
    "dateUpdated": "2024-08-04T10:03:46.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-19007

CVE-2020-8611 (GCVE-0-2020-8611)

Tags

Sightings

Nomenclature