CVE-2023-6218

In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023	Release Notes Vendor Advisory
https://www.progress.com/moveit	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

History

05 Dec 2023, 17:10

Type	Values Removed	Values Added
References	~~() https://www.progress.com/moveit -~~	() https://www.progress.com/moveit - Product
References	~~() https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 -~~	() https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023 - Release Notes, Vendor Advisory
First Time		Progress moveit Transfer Progress
CPE		cpe:2.3:a:progress:moveit_transfer::::::::
CWE		CWE-269
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

29 Nov 2023, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-29 17:15

Updated : 2023-12-10 15:26

NVD link : CVE-2023-6218

Mitre link : CVE-2023-6218

CVE.ORG link : CVE-2023-6218

JSON object : View

Products Affected

progress

moveit_transfer

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2023-6218", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security@progress.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-11-29T17:15:07.587", "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023", "tags": ["Release Notes", "Vendor Advisory"], "source": "security@progress.com"}, {"url": "https://www.progress.com/moveit", "tags": ["Product"], "source": "security@progress.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Secondary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u00a0 It is possible for a group administrator to elevate a group members permissions to the role of an organization\u00a0administrator.\n"}, {"lang": "es", "value": "En las versiones de Progress MOVEit Transfer lanzadas antes de 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), se ha identificado una ruta de escalada de privilegios asociada con los administradores de grupo. Es posible que un administrador de grupo eleve los permisos de los miembros de un grupo al rol de administrador de la organizaci\u00f3n."}], "lastModified": "2023-12-05T17:10:33.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A99606D-C2F1-40F0-B682-8AF3A1214ED7", "versionEndIncluding": "2021.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6985BD08-92E5-48EA-BB76-B85186F067EA", "versionEndExcluding": "2022.0.9", "versionStartIncluding": "2022.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7753AA60-D5C5-47A7-AE71-0ED05DE24930", "versionEndExcluding": "2022.1.10", "versionStartIncluding": "2022.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A01A6CCA-73BC-45BE-858A-24EEA00B81EC", "versionEndExcluding": "2023.0.7", "versionStartIncluding": "2023.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B7FB41C-AC16-4A5F-9C0D-CEF3E87084CF", "versionEndExcluding": "2023.1.2", "versionStartIncluding": "2023.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@progress.com"}