A critical security flaw in FileCatalyst Workflow has been addressed by Fortra, that could help remote attackers to gain administrative access. The vulnerability, identified as CVE-2024-6633, has a CVSS score of 9.8 and comes from the use of a static password for connecting to the HSQL database.
The default credentials for the HSQL database (HSQLDB) used in FileCatalyst Workflow are available in a vendor knowledge base article, as said byFortra’s advisory. The misuse of these credentials may lead to compromise of confidentiality, integrity, or availability of the software.
As per vendor guidelines HSQLDB was initially included to assist with installation, it has since been deprecated and should not be used in production environments. However, users who have not switched to a different database remain at risk of attacks from anyone who can access the HSQLDB.
Cybersecurity firm Tenable, which discovered and reported the issue, also noted that the HSQLDB is accessible remotely on TCP port 4406 by default. This configuration enables remote attackers to connect using the static password and execute malicious operations.
Following responsible disclosure on July 2, 2024, Fortran issued a patch for FileCatalyst Workflow version 5.1.7 and later addressed this vulnerability. The patch also resolves a high-severity SQL injection flaw (CVE-2024-6632, CVSS score: 7.2), which involves unauthorized database modifications via an unvalidated form submission during setup.
Dynatrace researcher Robin Wyss explained, “During FileCatalyst Workflow setup, users provide company information through a form submission. The data is used in a database query without proper input validation, allowing attackers to modify the query and make unauthorized changes to the database.”
