7.8
CWE
259
EPSS
0.043%
Advisory Published
Updated

CVE-2024-5275: Hard-coded password in FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and earlier) and FileCatalyst Workflow 5.1.6 Build 130 (and earlier)

First published: Tue Jun 18 2024(Updated: )

A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack against users of the agent. This issue affects all versions of FileCatalyst Direct from 3.8.10 Build 138 and earlier and all versions of FileCatalyst Workflow from 5.1.6 Build 130 and earlier.

Credit: df4dee71-de3a-4139-9588-11b62fe6c0ff

Remedy

For FileCatalyst Direct users, upgrade to 3.8.10 build 144 (or higher) For FileCatalyst Workflow users, upgrade to 5.1.6 build 133 (or later) For those using the FileCatalyst TransferAgent remotely, e.g., as a remote-controlled node accepting REST calls, update REST calls to "http". If "https" is still required, a new SSL key and add it to the agent keystore.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203