{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2291", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2024-03-07T17:27:18.819Z", "datePublished": "2024-03-20T14:46:59.040Z", "dateUpdated": "2024-08-01T19:11:53.265Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "MOVEit Transfer", "vendor": "Progress Software", "versions": [{"lessThan": "2022.0.11 (14.0.11)", "status": "affected", "version": "2022.0.0 (14.0.0)", "versionType": "semver"}, {"lessThan": "2022.1.12 (14.1.12)", "status": "affected", "version": "2022.1.0 (14.1.0)", "versionType": "semver"}, {"lessThan": "2023.0.9 (15.0.9)", "status": "affected", "version": "2023.0.0 (15.0.0)", "versionType": "semver"}, {"lessThan": "2023.1.4 (15.1.4)", "status": "affected", "version": "2023.1.0 (15.1.0)", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "HackerOne: interl0per"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.&nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.</span>"}], "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."}], "impacts": [{"capecId": "CAPEC-268", "descriptions": [{"lang": "en", "value": "CAPEC-268 Audit Log Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-778", "description": "CWE-778: Insufficient Logging", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-03-20T14:46:59.040Z"}, "references": [{"tags": ["product"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"}], "source": {"discovery": "UNKNOWN"}, "title": "MOVEit Transfer Logging Bypass Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2291", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-20T20:09:08.372929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:30:49.129Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.265Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://www.progress.com/moveit"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.progress.com/moveit", "tags": ["product", "x_transferred"]}, {"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.265Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2291", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-20T20:09:08.372929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:19.094Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "MOVEit Transfer Logging Bypass Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "HackerOne: interl0per"}], "impacts": [{"capecId": "CAPEC-268", "descriptions": [{"lang": "en", "value": "CAPEC-268 Audit Log Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "MOVEit Transfer", "versions": [{"status": "affected", "version": "2022.0.0 (14.0.0)", "lessThan": "2022.0.11 (14.0.11)", "versionType": "semver"}, {"status": "affected", "version": "2022.1.0 (14.1.0)", "lessThan": "2022.1.12 (14.1.12)", "versionType": "semver"}, {"status": "affected", "version": "2023.0.0 (15.0.0)", "lessThan": "2023.0.9 (15.0.9)", "versionType": "semver"}, {"status": "affected", "version": "2023.1.0 (15.1.0)", "lessThan": "2023.1.4 (15.1.4)", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.progress.com/moveit", "tags": ["product"]}, {"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.&nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-778", "description": "CWE-778: Insufficient Logging"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2024-03-20T14:46:59.040Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2291", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:11:53.265Z", "dateReserved": "2024-03-07T17:27:18.819Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2024-03-20T14:46:59.040Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "A33F43C2-F905-43C3-A9D4-671BEE079C68", "versionEndExcluding": "2022.0.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "2BD95EE0-833F-42E9-BCCA-EC4089AB6E62", "versionEndExcluding": "2022.1.12", "versionStartIncluding": "2022.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "D682546D-079E-431A-BFA9-DEF714BA364A", "versionEndExcluding": "2023.0.9", "versionStartIncluding": "2023.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "matchCriteriaId": "E72FDB08-3760-4472-A60C-BDDD51B25708", "versionEndExcluding": "2023.1.4", "versionStartIncluding": "2023.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de omisi\u00f3n de registro en las versiones de MOVEit Transfer publicadas antes de 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4). Un usuario autenticado podr\u00eda manipular una solicitud para omitir el mecanismo de registro dentro de la aplicaci\u00f3n web, lo que da como resultado que la actividad del usuario no se registre correctamente."}], "id": "CVE-2024-2291", "lastModified": "2025-01-16T18:02:45.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-20T15:15:08.010", "references": [{"source": "security@progress.com", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"}, {"source": "security@progress.com", "tags": ["Product"], "url": "https://www.progress.com/moveit"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.progress.com/moveit"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-778"}], "source": "security@progress.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}