This page lists all security vulnerabilities fixed in released version of Apache Fineract. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may vary from platform to platform.
|Fixed in Apache Fineract 1.0.0|
CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query
List of vulnerable endpoints:
- / centers
Fix detail: Added logic to sanitize the sqlSearch
Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0
Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.
|Reported to security team||02 April 2017|
|Issue public||13 December 2017|
|Update Released||01 Jun 2017|
|0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating|