CVE-2023-40046

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023	Vendor Advisory
https://www.progress.com/ws_ftp	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:ws_ftp_server::::::::
	cpe:2.3:a:progress:ws_ftp_server::::::::

History

No history.

Information

Published : 2023-09-27 15:18

Updated : 2023-09-27 19:33

NVD link : CVE-2023-40046

Mitre link : CVE-2023-40046

CVE.ORG link : CVE-2023-40046

JSON object : View

Products Affected

progress

ws_ftp_server

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-40046", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 2.3}]}, "published": "2023-09-27T15:18:58.103", "references": [{"url": "https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023", "tags": ["Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/ws_ftp", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nIn WS_FTP Server versions prior to 8.7.4 and 8.8.2,\n\n a SQL injection vulnerability exists in the WS_FTP Server manager interface. An attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.\n\n"}, {"lang": "es", "value": "En las versiones del servidor WS_FTP anteriores a 8.7.4 y 8.8.2, existe una vulnerabilidad de inyecci\u00f3n SQL en la interfaz del administrador del servidor WS_FTP. Un atacante puede inferir informaci\u00f3n sobre la estructura y el contenido de la base de datos, y ejecutar declaraciones SQL que alteren o eliminen elementos de la base de datos."}], "lastModified": "2023-09-27T19:33:00.803", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "443CCFDE-4A61-40F1-96C1-B36BF9240773", "versionEndExcluding": "8.7.4"}, {"criteria": "cpe:2.3:a:progress:ws_ftp_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "670AEEB3-B2B3-41DA-8188-4F1A4E02F0AD", "versionEndExcluding": "8.8.2", "versionStartIncluding": "8.8"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}