Fortra has resolved a critical security flaw affecting the FileCatalyst workflow that could be exploited by a remote attacker to gain administrative access.
The vulnerability, tracked as CVE-2024-6633, has a CVSS score of 9.8 and results from the use of a static password to connect to an HSQL database.
“The default credentials to install the HSQL database (HSQLDB) for FileCatalyst Workflow are published to the vendor knowledge base article“Fortra said in the consulting room. “Misuse of these credentials may compromise the confidentiality, integrity, or availability of the software.”
“HSQLDB is included for ease of installation only, is deprecated and not intended for production use per the vendor’s manual. However, users who have not configured FileCatalyst Workflow to use an alternate database as recommended are vulnerable to attacks from any source that can reach HSQLDB.”
Cybersecurity company Tenable, which is credited with discovering and reporting the flaw, said By default, HSQLDB is accessible remotely via TCP port 4406, which allows a remote attacker to connect to the database using a static password and perform malicious operations.
Following a responsible disclosure, on July 2, 2024, Fortra released a patch to address the security hole in FileCatalyst Workflow 5.1.7 or later.
“For example, an attacker could add an admin-level user to the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user,” Tenable said.
Also addressed version 5.1.7 contains a serious SQL injection flaw (CVE-2024-6632, CVSS score: 7.2) that abuses the form submission phase of the installation process to make unauthorized changes to the database.
“During the FileCatalyst Workflow setup process, the user is prompted to provide company information via a form submission,” – Robin Wyss, Dynatrace Researcher. said.
“The submitted data is used in a database statement, but the user’s input does not pass proper input validation. As a result, an attacker can modify the request. This allows unauthorized modifications to the database.”
