Introduction
We recently identified multiple vulnerabilities in Thinfinity Workspace versions prior to 7.0.2.113. While these issues are not immediately critical for all environments, updating to the latest version is strongly recommended to ensure robust security and system integrity.
Cybele Software remains committed to providing a secure experience, and this update includes essential patches to address these vulnerabilities.
Vulnerabilities Identified:
The following vulnerabilities have been identified in Thinfinity Workspace versions prior to 7.0.2.113:
- CVE-2024-40404
- CVE-2024-40408
- CVE-2024-40410
- CVE-2024-40407
- CVE-2024-40405
These vulnerabilities may affect various components of Thinfinity Workspace and could expose your environment to security risks if left unpatched. We advise all users on affected versions to prioritize upgrading to the latest release to mitigate potential exposure.
Acknowledgements / Credits
Credits to NATO Cyber Security Centre (NCSC)
Vulnerability Details
CVE-2024-40404
- Product: Thinfinity Workspace < 7.0.2.113
- CVSS Score: 9.8
- Description: A critical vulnerability exists that could allow a malicious actor with device access to intercept and obtain a user’s session by exploiting unauthorized contact with the API endpoint managing WebSocket connections. Immediate mitigation is advised.
CVE-2024-40408
- Product: Thinfinity Workspace < 7.0.2.113
- CVSS Score: 7.3
- Description: This vulnerability arises from insufficient access controls during profile creation. Attackers with valid credentials can exploit an API request to bypass security, enabling unauthorized profile creation and access to resources.
CVE-2024-40410
- Product: Thinfinity Workspace < 7.0.2.113
- CVSS Score: 4.7
- Description: A hardcoded cryptographic key within the Thinfinity WebDAV component may compromise the integrity and confidentiality of JWT tokens used for WebDAV authentication, potentially impacting secure data handling.
CVE-2024-40407
- Product: Thinfinity Workspace < 7.0.2.113
- CVSS Score: 7.5
- Description: This vulnerability allows an authenticated attacker to access the software’s root path, which could expose underlying system details and directories, increasing risk of further targeted attacks.
CVE-2024-40405
- Product: Thinfinity Workspace < 7.0.3.109
- CVSS Score: 8.1
- Description: A flaw has been identified when a remote application is accessible across multiple secondary brokers with restricted user access. By altering request data in transit, a user with access to only one broker can gain unauthorized access to the application in another broker, bypassing set restrictions.
Update Patch Recommendation
To fully address these vulnerabilities, Cybele Software recommends that all users upgrade to a version beyond v7.0.3.109. For optimal security and feature enhancements, we encourage customers to consider upgrading directly to Thinfinity Workspace v8.0.0.101, our latest release. Version 8.0.0.101 not only includes comprehensive patches for the identified issues but also introduces additional security improvements and new functionalities that enhance overall performance and protection.
For more information on the latest version and to download the update, please visit our Thinfinity Workspace update page. If you need assistance with the upgrade, our support team is available to help ensure a smooth transition to the latest version.