Main Vulnerability Database Vulnerabilities #VU53659

Missing Authentication for Critical Function in MOVEit Transfer - CVE-2019-18465

Published: May 30, 2021

Vulnerability identifier: #VU53659

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-18465

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
MOVEit Transfer

Software vendor:
Progress Software Corporation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a logic error that allows a remote authenticated attacker to sign in without full credentials via the SSH (SFTP) interface. The vulnerability affects only certain SSH (SFTP) configurations, and is applicable only if the MySQL database is being used.

Remediation

Install updates from vendor's website.

External links

https://community.ipswitch.com/s/article/SFTP-Auth-Vulnerability
https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm

Missing Authentication for Critical Function in MOVEit Transfer - CVE-2019-18465

Description

Remediation

External links

Please verify you're human