Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633)
Organizations using Fortra’s FileCatalyst Workflow are urged to upgrade their instances, so that attackers can’t access an internal HSQL database by exploiting known static credentials (CVE-2024-6633).
“Once logged in to the HSQLDB, the attacker can perform malicious operations in the database. For example, the attacker can add an admin-level user in the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user,” Tenable researchers discovered.
Two flaws fixed
Fortra FileCatalyst Workflow is a tool that that simplifies the transfer of large files via a web portal. It is part of Fortra’s FileCatalyst enterprise software solution.
Fortra has released FileCatalyst Workflow version 5.1.7 to fix two vulnerabilities.
CVE-2024-6633 is a critical vulnerability stemming from the fact that default credentials for the setup HSQL database for FileCatalyst Workflow are publicly exposed in a vendor knowledge base (KB) article.
“The [internal Workflow] HSQLDB is only included to facilitate installation, has been deprecated, and is not intended for production use per vendor guides. However, users who have not configured FileCatalyst Workflow to use an alternative database per recommendations are vulnerable to attack from any source that can reach the HSQLDB,” Fortra explained.
According to Tenable researchers, the database is remotely accessible on TCP port 4406 by default. Following the steps outlined in the vendor KB article but using a remote JDBC URL (i.e., jdbc:hsqldb:hsql://
Since users can’t change this password by conventional means, upgrading to the latest version is the only way to fix this exploitable weakness.
Discovered by Dynatrace security researchers, CVE-2024-6632 is a SQL injection vulnerability that may allow unauthorized modifications on the solution’s MySQL database.
“During the setup process of FileCatalyst Workflow, the user is prompted to provide company information via a form submission. The submitted data is used in a database statement, but the user input is not going through proper input validation. As a result, the attacker can modify the query,” Dynatrace researchers discovered.
“An attacker could potentially modify information on the database that go beyond what an authenticated user is allowed to do. They could also potentially modify other databases on the same database server.”
Dynatrace discovered the vulnerability as part of an investigation activity following the publication of CVE-2024-5276, a previous SQL injection flaw found by Tenable. The good news, though, is that CVE-2024-6632 seems to be only exploitable by an authenticated user during the setup process.
Both vulnerabilities affect FileCatalyst Workflow 5.1.6 Build 139 (and earlier) and can be fixed only by upgrading vulnerable installations to v5.1.7.