SQL Injection Vulnerability in FileCatalyst Workflow 5.1.6 Build 135 (and earlier)

FI-2024-008 - SQL Injection Vulnerability in FileCatalyst Workflow 5.1.6 Build 135 (and earlier)

Severity
Critical
Published Date
25-Jun-2024
Updated Date
25-Jun-2024
Vulnerabilities
CVE-2024-5276
 
Notes
Description

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

 

Vulnerabilities

 
SQL Injection Vulnerability
Severity
Critical
CVE
CVE-2024-5276
CWE
CWE-20 and CWE-89:Improper Input Validation and Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Discovery Date
18-Jun-2024
CSSv3.1
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products
FileCatalyst Workflow 5.1.6 Build 135 (and earlier)
Vulnerability Notes
Description

CAPEC-66 SQL Injection

This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.

 
Remediation: Vendor Fix

FileCatalyst Workflow users upgrade to 5.1.6 build 139 (or later)

 
References
 

References

 

Acknowledgements

Fortra would like to thank the following individuals:

  • Tenable Research