Fortra has addressed a critical security flaw impacting FileCatalyst Workflow that could be abused by a remote attacker to gain administrative access.
The vulnerability, tracked as CVE-2024-6633, carries a CVSS score of 9.8, and stems from the use of a static password to connect to a HSQL database.
“The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledge base article,” Fortra said in an advisory. “Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software.”
“The HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB.”
Cybersecurity company Tenable, which has been credited with discovering and reporting the flaw, said the HSQLDB is remotely accessible on TCP port 4406 by default, thereby allowing a remote attacker to connect to the database using the static password and perform malicious operations.
Following responsible disclosure on July 2, 2024, Fortra has released a patch to plug the security hole in FileCatalyst Workflow 5.1.7 or later.
“For example, the attacker can add an admin-level user in the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user,” Tenable said.
Also addressed in version 5.1.7 is a high-severity SQL injection flaw (CVE-2024-6632, CVSS score: 7.2) that abuses a form submission step during the setup process to make unauthorized modifications of the database.
“During the setup process of FileCatalyst Workflow, the user is prompted to provide company information via a form submission,” Dynatrace researcher Robin Wyss said.
“The submitted data is used in a database statement, but the user input is not going through proper input validation. As a result, the attacker can modify the query. This allows for unauthorized modifications on the database.”