Header background

New SQL injection vulnerability in FileCatalyst Workflow

Following Tenable Research’s disclosure of a critical SQL injection vulnerability in FileCatalyst Workflow in May 2024, further investigation by Dynatrace revealed another SQL injection vulnerability.

The vulnerability, identified as CVE-2024-6632, allows the abuse of a form submission during the setup process to make unauthorized modifications of the database. So far, the vulnerability only appears to be exploitable by an authenticated user during the setup process. To mitigate this vulnerability, users of the affected software are advised to upgrade to version 5.1.7.

How could an attacker exploit the new SQL injection vulnerability?

During the setup process of FileCatalyst Workflow, the user is prompted to provide company information via a form submission. The submitted data is used in a database statement, but the user input is not going through proper input validation. As a result, the attacker can modify the query. This allows for unauthorized modifications on the database. An attacker could potentially modify information on the database that go beyond what an authenticated user is allowed to do. They could also potentially modify other databases on the same database server.

Criticality

As of now, it appears this SQL injection vulnerability is only exploitable by an authenticated user during the setup process. It is therefore less critical than the previously disclosed vulnerability (CVE-2024-5276) and harder to exploit. Nevertheless, the vulnerability allows for unauthorized modification of the database, which, in certain scenarios, could be problematic.

How was the vulnerability discovered?

Dynatrace discovered the vulnerability as part of an investigation activity following the publication of CVE-2024-5276 by Tenable. An instance of FileCatalyst Workflow was instrumented by the Dynatrace OneAgent, which has the capability to automatically detect injection vulnerabilities in running applications. Shortly after the setup, Dynatrace reported the disclosed vulnerability, which allows an attacker to perform a SQL injection using the jobID parameter.

In addition to the known SQL injection vulnerability (tracked as CVE-2024-5276), Dynatrace OneAgent discovered a second SQL injection vulnerability with a different entry point. Dynatrace Runtime Vulnerability Analytics detects if user input is used in an unsafe way, which can lead to an injection attack and reports this as a code-level vulnerability. Further investigation showed that this vulnerability is still present in the version that provided a fix for CVE-2024-5276. It is also still possible to exploit this vulnerability by sending malicious input as part of the setup form.

How do I know if my FileCatalyst Workflow environment is affected?

If you are using FileCatalyst Workflow version 5.1.6 build 139 or earlier, you are affected by the vulnerability and should update your instance.

Read the advisory here.

How to patch and remediate CVE-2024-6632

To remediate the vulnerability, update FileCatalyst Workflow to version 5.1.7 or later.

Read the advisory here.

Please note that Dynatrace customers using Runtime Application Protection in blocking mode are protected against this vulnerability, as well as against CVE-2024-5276.

Coordinated vulnerability disclosure

The disclosure of this vulnerability was done in collaboration with Fortra.

Timeline:

2024-07-05: Dynatrace contacts Fortra to disclose the issue

2024-07-09: Fortra confirms the issue, and a CVE is reserved

2024-07-30: Dynatrace requests a status updated from Fortra

2024-07-30: Fortra provides an updated and release timeline

2024-08-27: Disclosure of vulnerability