CVE-2024-0396 - Missing Server-Side Input Validation leads to computational errors and potential denial of service in Progress MOVEit Transfer

1. Vulnerability Properties

Title: Missing Server-Side Input Validation leads to computational errors and potential denial of service in Progress MOVEit Transfer
CVE ID: CVE-2024-0396
CVSSv3 Base Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
Vendor: Progress Software Corporation (Progress)
Products: Progress MOVEit Transfer
Advisory Release Date: 18-01-2024
Advisory URL: https://labs.integrity.pt/advisories/cve-2024-0396
Credits: Discovery by Pedro Valadares Pinho <pedro.pinho[at]devoteam.com>

2. Vulnerability Summary

In Progress MOVEit Transfer an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.

3. Vulnerable Versions

  • MOVEit Transfer 2023.1.2 (15.1.2) and earlier
  • MOVEit Transfer 2023.0.7 (15.0.7) and earlier
  • MOVEit Transfer 2022.1.10 (14.1.10) and earlier
  • MOVEit Transfer 2022.0.9 (14.0.9) and earlier
  • MOVEit Transfer 2021.1.x (13.1.x) and older

4. Solution

5. Vulnerability Timeline

  • 14/Dec/23 - Bug reported to vendor (via their Vulnerability Disclosure Program on HackerOne)
  • 22/Dec/23 - Bug validated by vendor
  • 17/Jan/24 - Advisory released

6. References

  • https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024
  • https://www.cve.org/CVERecord?id=CVE-2024-0396
  • https://www.progress.com/moveit


© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.