...
Fixed in Apache Fineract 1.0.0 |
---|
CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query
List of vulnerable endpoints:
- /staff
- /clients
- /loans
- / centers
- /groups
Fix detail: Added logic to sanitize the sqlSearch
Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0
Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.
...