This page lists all security vulnerabilities fixed in released version of Apache Fineract. Each vulnerability is given a security impact rating by the Apache security team - please note that this rating may vary from platform to platform.
| Fixed in Apache Fineract 1.0.0 |
|---|
CVE-2017-5663: Apache Fineract SQL Injection Vulnerability
Critical: An authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query
List of vulnerable endpoints:
- /staff
- /clients
- /loans
- / centers
- /groups
Release branch with the fix is available at https://github.com/apache/fineract/tree/1.0.0
Acknowledgements: We would like to thank Alex Ivanov and Apache Security team for reporting this issue.
| Reported to security team | 02 April 2017 |
| Issue public | 13 December 2017 |
| Update Released | 01 Jun 2017 |
Affects | 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating |