CVE-2024-6633 (CVSS 9.8): Critical Flaw in Fortra FileCatalyst Workflow

by do son · August 27, 2024

Fortra, a prominent provider of enterprise file transfer solutions, has released an urgent security advisory highlighting two critical vulnerabilities within its FileCatalyst Workflow product. Designated as CVE-2024-6633 and CVE-2024-6632, these vulnerabilities pose a significant risk to the confidentiality, integrity, and availability of sensitive data and systems.

CVE-2024-6633, classified as a critical vulnerability with a CVSS score of 9.8, arises from the inadvertent disclosure of default credentials for the HSQLDB setup database within a vendor knowledgebase article. While this database is designed for installation purposes only and not intended for production environments, users who haven’t configured FileCatalyst Workflow to use an alternative database remain susceptible to exploitation from any source capable of accessing the HSQLDB.

CVE-2024-6632, a SQL injection vulnerability with a CVSS score of 7.2, presents an additional security risk. It allows a super admin user to leverage a specific field within the FileCatalyst Workflow interface to inject and execute malicious SQL commands. This can lead to unauthorized data access, modification, or deletion, resulting in a significant compromise of data integrity and system availability.

Affected Products:

FileCatalyst Workflow 5.1.6 Build 139 and earlier versions

Recommended Action:

Fortra strongly urges all customers using affected FileCatalyst Workflow versions to upgrade to version 5.1.7 or later without delay. This critical update addresses both vulnerabilities and is vital in safeguarding your organization’s data and systems.