Page tree
Skip to end of metadata
Go to start of metadata

This page lists all security vulnerabilities fixed in released version of Apache Fineract. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may vary from platform to platform.

Fixed in Apache Fineract 1.0.0

CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query

List of vulnerable endpoints:
- /staff
- /clients
- /loans
- / centers
- /groups
 

Fix detail: Added logic to sanitize the sqlSearch

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0

Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.

Reported to security team02 April 2017
Issue public13 December 2017
Update Released01 Jun 2017

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating
  • No labels