Page tree
Skip to end of metadata
Go to start of metadata

This page lists all security vulnerabilities fixed in a released version of Apache Fineract. Each vulnerability is reported via the http://www.apache.org/security/ process and given a security impact rating by the Apache security team - please note that this rating may vary from platform to platform.  If you have identified a security issue, email security AT fineract.apache.org.  


Fixed in Apache Fineract 1.5.0


CVE-2020-17514: Disabled Hostname verification for HTTPS  

[DESCRIPTION]: 

Critical:  Apache Fineract disables HTTPS hostname verification in `ProcessorHelper` in the `configureClient` method. 

Under typical deployments, a man in the middle attack could be successful. 

Release branch: The fix is available at https://github.com/apache/fineract/tree/1.5.0

Acknowledgements: We would like to thank Simon Gerst at https://github.com/intrigus-lgtm  for reporting this issue, and the Apache Security team for their assistance. 

Reported to security team15 October 2020 
Fixed19 October 2020
Update Released23 May  2021
Issue public26 May 2021
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0

[REFERENCES]:  

https://issues.apache.org/jira/browse/FINERACT-1211 

[ASSIGNINGCNA]: none 


Fixed in Apache Fineract 1.4.0


CVE-2018-20243 : Unencrypted username and password in URL

CriticalPassing the password in a URL parameter, instead of POST body, risked exposing this credential e.g. in log files and HTTP intermediaries like proxies.  

Release branch: The fix is available at https://github.com/apache/fineract/tree/1.4.0

Acknowledgements: We would like to thank Abiy Atsbha <abiyats@gmail.comfor reporting this issue, and the Apache Security team for their assistance. 

Reported to security team31 December 2018
FixedJanuary 2020
Update Released18 September  2020
Issue public07 October 2020
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0

Additional information see:  https://issues.apache.org/jira/browse/FINERACT-726 and https://issues.apache.org/jira/browse/FINERACT-629. Note that Client implementations (front-end UIs) should note this change, and instances in-production should always implement safe techniques for transmission of security credentials. 

Fixed in Apache Fineract 1.3.0

CVE-2016-4977 : Remote code execution vulnerabilities as a result of CVE in an upstream dependency

Critical:  A known vulnerability in spring security upstream dependencies allowed malicious users to trigger remote code execution. Additional details at https://nvd.nist.gov/vuln/detail/CVE-2016-4977

Release branch: The fix is available at https://github.com/apache/fineract/tree/1.3.0

Acknowledgements: We would like to thank Roberto (extranewbugs@gmail.com) for reporting this issue, and the Apache Security team for their assistance.

Reported to security team17 December 2018
FixedFebruary 2019
Update Released27 March 2019
Issue public15 October 2019
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0



CVE-2018-11800 and CVE-2018-11801: Apache Fineract SQL Injection Vulnerability

Important: Two SQL Injection vulnerabilities were reported; the first one in a query on the GroupSummaryCounts table, the second on the m_center data table.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.3.0

Acknowledgements: We would like to thank Niels Heinen from Google for reporting this issue, and the Apache Security team for their assistance.

Reported to security team29 August 2018
FixedDecember 2018 & January 2019
Update Released27 March 2019
Issue public9 May 2019
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0



Fixed in Apache Fineract 1.1.0

CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter

Critical: Within the 'getReportType' method, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. 

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param

Critical: Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft
the  'orderBy'  query parameter by way of the "order" param  in such a way to to read/update the data for which he doesn't have authorization.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters

Critical: Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class

 retrieveCommands of MakercheckersApiResource Class

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters

Critical: Apache Fineract exposes different REST end points to query domain specificentities with a Query Parameter 'orderBy' and 'sortOrder' which

are appended directly with SQL statements. A hacker/user can inject/draft the  'orderBy' and 'sortOrder'  query parameter in such a way to read/update the data for which he doesn't have authorization.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team18 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0
Fixed in Apache Fineract 1.0.0


CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query

List of vulnerable endpoints:
- /staff
- /clients
- /loans
- / centers
- /groups
 

Fix detail: Added logic to sanitize the sqlSearch

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0

Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.

Reported to security team02 April 2017
Issue public13 December 2017
Update Released01 Jun 2017

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating
  • No labels