cve-2024-2291
Vulnerability from cvelistv5
Published
2024-03-20 14:46
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | MOVEit Transfer |
Version: 2022.0.0 (14.0.0) ≤ Version: 2022.1.0 (14.1.0) ≤ Version: 2023.0.0 (15.0.0) ≤ Version: 2023.1.0 (15.1.0) ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T20:09:08.372929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "MOVEit Transfer",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2022.0.11 (14.0.11)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.12 (14.1.12)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.9 (15.0.9)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2023.1.4 (15.1.4)",
"status": "affected",
"version": "2023.1.0 (15.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HackerOne: interl0per"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."
}
],
"impacts": [
{
"capecId": "CAPEC-268",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-268 Audit Log Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-778",
"description": "CWE-778: Insufficient Logging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T14:46:59.040Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Logging Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-2291",
"datePublished": "2024-03-20T14:46:59.040Z",
"dateReserved": "2024-03-07T17:27:18.819Z",
"dateUpdated": "2024-08-01T19:11:53.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-2291\",\"sourceIdentifier\":\"security@progress.com\",\"published\":\"2024-03-20T15:15:08.010\",\"lastModified\":\"2025-01-16T18:02:45.747\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto una vulnerabilidad de omisi\u00f3n de registro en las versiones de MOVEit Transfer publicadas antes de 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4). Un usuario autenticado podr\u00eda manipular una solicitud para omitir el mecanismo de registro dentro de la aplicaci\u00f3n web, lo que da como resultado que la actividad del usuario no se registre correctamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@progress.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-778\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2022.0.11\",\"matchCriteriaId\":\"A33F43C2-F905-43C3-A9D4-671BEE079C68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2022.1.0\",\"versionEndExcluding\":\"2022.1.12\",\"matchCriteriaId\":\"2BD95EE0-833F-42E9-BCCA-EC4089AB6E62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2023.0.0\",\"versionEndExcluding\":\"2023.0.9\",\"matchCriteriaId\":\"D682546D-079E-431A-BFA9-DEF714BA364A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2023.1.0\",\"versionEndExcluding\":\"2023.1.4\",\"matchCriteriaId\":\"E72FDB08-3760-4472-A60C-BDDD51B25708\"}]}]}],\"references\":[{\"url\":\"https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024\",\"source\":\"security@progress.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.progress.com/moveit\",\"source\":\"security@progress.com\",\"tags\":[\"Product\"]},{\"url\":\"https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.progress.com/moveit\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.progress.com/moveit\", \"tags\": [\"product\", \"x_transferred\"]}, {\"url\": \"https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:11:53.265Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2291\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-20T20:09:08.372929Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:19.094Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"MOVEit Transfer Logging Bypass Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"HackerOne: interl0per\"}], \"impacts\": [{\"capecId\": \"CAPEC-268\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-268 Audit Log Manipulation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Progress Software\", \"product\": \"MOVEit Transfer\", \"versions\": [{\"status\": \"affected\", \"version\": \"2022.0.0 (14.0.0)\", \"lessThan\": \"2022.0.11 (14.0.11)\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2022.1.0 (14.1.0)\", \"lessThan\": \"2022.1.12 (14.1.12)\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2023.0.0 (15.0.0)\", \"lessThan\": \"2023.0.9 (15.0.9)\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2023.1.0 (15.1.0)\", \"lessThan\": \"2023.1.4 (15.1.4)\", \"versionType\": \"semver\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://www.progress.com/moveit\", \"tags\": [\"product\"]}, {\"url\": \"https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-778\", \"description\": \"CWE-778: Insufficient Logging\"}]}], \"providerMetadata\": {\"orgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"shortName\": \"ProgressSoftware\", \"dateUpdated\": \"2024-03-20T14:46:59.040Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-2291\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T19:11:53.265Z\", \"dateReserved\": \"2024-03-07T17:27:18.819Z\", \"assignerOrgId\": \"f9fea0b6-671e-4eea-8fde-31911902ae05\", \"datePublished\": \"2024-03-20T14:46:59.040Z\", \"assignerShortName\": \"ProgressSoftware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.