CVE-2023-6218

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023	Release Notes Vendor Advisory
https://www.progress.com/moveit	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

History

No history.

Information

Published : 2023-11-29 17:15

Updated : 2023-12-05 17:10

NVD link : CVE-2023-6218

Mitre link : CVE-2023-6218

CVE.ORG link : CVE-2023-6218

JSON object : View

Products Affected

progress

moveit_transfer

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2023-6218", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-11-29T17:15:07.587", "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023", "tags": ["Release Notes", "Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/moveit", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u00a0 It is possible for a group administrator to elevate a group members permissions to the role of an organization\u00a0administrator.\n"}, {"lang": "es", "value": "En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), se ha identificado una ruta de escalada de privilegios asociada con los administradores de grupo. Es posible que un administrador de grupo eleve los permisos de los miembros de un grupo al rol de administrador de la organizaci\u00f3n."}], "lastModified": "2023-12-05T17:10:33.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A99606D-C2F1-40F0-B682-8AF3A1214ED7", "versionEndIncluding": "2021.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6985BD08-92E5-48EA-BB76-B85186F067EA", "versionEndExcluding": "2022.0.9", "versionStartIncluding": "2022.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7753AA60-D5C5-47A7-AE71-0ED05DE24930", "versionEndExcluding": "2022.1.10", "versionStartIncluding": "2022.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A01A6CCA-73BC-45BE-858A-24EEA00B81EC", "versionEndExcluding": "2023.0.7", "versionStartIncluding": "2023.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B7FB41C-AC16-4A5F-9C0D-CEF3E87084CF", "versionEndExcluding": "2023.1.2", "versionStartIncluding": "2023.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}