Critical SQL Injection Vulnerability in Fortra FileCatalyst Workflow Exposed

June 26, 2024

The Fortra FileCatalyst Workflow, a web-based platform for file exchange and sharing, is vulnerable to an SQL injection flaw that could allow remote unauthenticated attackers to create rogue admin users and manipulate the application database. This platform, which supports large file sizes, is used by organizations globally to speed up data transfers and collaborate in private cloud spaces. The critical vulnerability, known as CVE-2024-5276, was first identified by Tenable researchers on June 18, 2024, but was only recently made public.

Fortra, in a security bulletin, clarified that while the flaw allows for the creation of admin users and manipulation of the database, it does not enable data theft. The company stated, "A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include the creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability."

The flaw affects versions up to and including FileCatalyst Workflow 5.1.6 Build 135. Fixes are available in the newer version, FileCatalyst Workflow 5.1.6 build 139, which is the recommended upgrade for users. Exploitation without authentication also necessitates that anonymous access is enabled on the target instance; otherwise, authentication would be required to exploit CVE-2024-5276.

Tenable first identified CVE-2024-5276 on May 15, 2024, and disclosed the issue to Fortra on May 22, along with a proof-of-concept (PoC) exploit demonstrating the vulnerability. Tenable's exploit shows how an anonymous remote attacker can perform SQL injection via the 'jobID' parameter in various URL endpoints of the Workflow web app. The issue arises because the 'findJob' method uses a user-supplied 'jobID' without sanitizing the input to form the 'WHERE' clause in an SQL query, allowing an attacker to insert malicious code.

There have been no reports of active exploitation of the issue to date, but the release of a working exploit could change that soon. In early 2023, the Clop ransomware gang exploited a Fortra GoAnywhere MFT zero-day vulnerability, tracked as CVE-2023-0669, in data theft attacks to blackmail hundreds of organizations using the product.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.