Critical SQL Injection Vulnerability in Fortra FileCatalyst Workflow Exposed

June 26, 2024

The Fortra FileCatalyst Workflow, a web-based platform for file exchange and sharing, is vulnerable to an SQL injection flaw that could allow remote unauthenticated attackers to create rogue admin users and manipulate the application database. This platform, which supports large file sizes, is used by organizations globally to speed up data transfers and collaborate in private cloud spaces. The critical vulnerability, known as CVE-2024-5276, was first identified by Tenable researchers on June 18, 2024, but was only recently made public.

Fortra, in a security bulletin, clarified that while the flaw allows for the creation of admin users and manipulation of the database, it does not enable data theft. The company stated, "A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include the creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability."

The flaw affects versions up to and including FileCatalyst Workflow 5.1.6 Build 135. Fixes are available in the newer version, FileCatalyst Workflow 5.1.6 build 139, which is the recommended upgrade for users. Exploitation without authentication also necessitates that anonymous access is enabled on the target instance; otherwise, authentication would be required to exploit CVE-2024-5276.

Tenable first identified CVE-2024-5276 on May 15, 2024, and disclosed the issue to Fortra on May 22, along with a proof-of-concept (PoC) exploit demonstrating the vulnerability. Tenable's exploit shows how an anonymous remote attacker can perform SQL injection via the 'jobID' parameter in various URL endpoints of the Workflow web app. The issue arises because the 'findJob' method uses a user-supplied 'jobID' without sanitizing the input to form the 'WHERE' clause in an SQL query, allowing an attacker to insert malicious code.

There have been no reports of active exploitation of the issue to date, but the release of a working exploit could change that soon. In early 2023, the Clop ransomware gang exploited a Fortra GoAnywhere MFT zero-day vulnerability, tracked as CVE-2023-0669, in data theft attacks to blackmail hundreds of organizations using the product.

Related News

• Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments
• Critical Exploit Released for Fortra's GoAnywhere MFT Authentication Bypass Vulnerability
• Critical Authentication Bypass Vulnerability in GoAnywhere MFT: Urgent Patch Recommended
• MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
• Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis

Latest News

• Apple Fixes AirPods Bluetooth Security Flaw Allowing Unauthorized Access
• Major Supply Chain Attack Impacts Over 110,000 Websites Through Hijacked Polyfill Service
• Freshly Revealed MOVEit Vulnerability Exploited Within Hours
• CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information
• Critical Remote Code Execution Vulnerability Found in Ollama AI Infrastructure Tool