Vulnerabilites related to Apache Software Foundation - Apache Fineract
CVE-2020-17514 (GCVE-0-2020-17514)
Vulnerability from cvelistv5
Published
2021-05-27 12:10
Modified
2024-08-04 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Missing Hostname Verification
Summary
Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.apache.org/jira/browse/FINERACT-1211 | x_refsource_MISC | |
| https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2021/05/27/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: Apache Fineract < 1.5.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "Apache Fineract",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Hostname Verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-27T17:06:10",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "disabled hostname verificiation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17514",
"STATE": "PUBLIC",
"TITLE": "disabled hostname verificiation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Fineract",
"version_value": "1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Hostname Verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.apache.org/jira/browse/FINERACT-1211",
"refsource": "MISC",
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17514",
"datePublished": "2021-05-27T12:10:10",
"dateReserved": "2020-08-12T00:00:00",
"dateUpdated": "2024-08-04T14:00:48.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44635 (GCVE-0-2022-44635)
Vulnerability from cvelistv5
Published
2022-11-29 00:00
Modified
2025-04-25 14:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: Apache Fineract 1.8 < Version: Apache Fineract 1.7 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:50:47.128187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:51:14.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "Apache Fineract 1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "Apache Fineract 1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-44635",
"datePublished": "2022-11-29T00:00:00.000Z",
"dateReserved": "2022-11-02T00:00:00.000Z",
"dateUpdated": "2025-04-25T14:51:14.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32838 (GCVE-0-2024-32838)
Vulnerability from cvelistv5
Published
2025-02-12 09:44
Modified
2025-02-12 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter.
Users are recommended to upgrade to version 1.10.1, which fixes this issue.
A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.4 ≤ 1.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:51:41.347771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:56:18.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-12T18:03:27.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/12/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.9",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kabilan S - Security engineer at Zoho"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksandar Vidakovic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\u003cbr\u003e\u003cbr\u003eA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u00a0\nUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\n\nA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T09:44:15.943Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: SQL injection vulnerabilities in offices API endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32838",
"datePublished": "2025-02-12T09:44:15.943Z",
"dateReserved": "2024-04-18T17:53:52.406Z",
"dateUpdated": "2025-02-12T18:03:27.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25196 (GCVE-0-2023-25196)
Vulnerability from cvelistv5
Published
2023-03-28 11:16
Modified
2024-10-23 15:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.
This issue affects Apache Fineract: from 1.4 through 1.8.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.4 ≤ 1.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:35.403529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:44.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": " Zhang Baocheng at Leng Jing Qi Cai Security Lab"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to change or add data in certain components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users may be able to change or add data in certain components. \u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:57.603Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SQL injection vulnerability ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25196",
"datePublished": "2023-03-28T11:16:57.603Z",
"dateReserved": "2023-02-06T01:32:54.479Z",
"dateUpdated": "2024-10-23T15:14:44.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23538 (GCVE-0-2024-23538)
Vulnerability from cvelistv5
Published
2024-03-29 14:37
Modified
2025-02-13 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-01T19:58:21.744925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T22:45:12.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
},
{
"lang": "en",
"type": "reporter",
"value": "Majd Alasfar of ProgressSoft"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:52.233Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23538",
"datePublished": "2024-03-29T14:37:40.374Z",
"dateReserved": "2024-01-18T05:11:07.977Z",
"dateUpdated": "2025-02-13T17:39:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1289 (GCVE-0-2018-1289)
Vulnerability from cvelistv5
Published
2018-04-20 18:00
Modified
2024-09-17 04:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' and 'sortOrder' query parameter in such a way to read/update the data for which he doesn't have authorization.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104005 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/4a1312b18ed2979fba9e2df07839e6a940eeeea12ed9154db1a49a5a%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.0.0 Version: 0.6.0-incubating Version: 0.5.0-incubating Version: 0.4.0-incubating |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104005",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104005"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/4a1312b18ed2979fba9e2df07839e6a940eeeea12ed9154db1a49a5a%40%3Cdev.fineract.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "0.6.0-incubating"
},
{
"status": "affected",
"version": "0.5.0-incubating"
},
{
"status": "affected",
"version": "0.4.0-incubating"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter \u0027orderBy\u0027 and \u0027sortOrder\u0027 which are appended directly with SQL statements. A hacker/user can inject/draft the \u0027orderBy\u0027 and \u0027sortOrder\u0027 query parameter in such a way to read/update the data for which he doesn\u0027t have authorization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-28T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "104005",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104005"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/4a1312b18ed2979fba9e2df07839e6a940eeeea12ed9154db1a49a5a%40%3Cdev.fineract.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-19T00:00:00",
"ID": "CVE-2018-1289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "1.0.0"
},
{
"version_value": "0.6.0-incubating"
},
{
"version_value": "0.5.0-incubating"
},
{
"version_value": "0.4.0-incubating"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter \u0027orderBy\u0027 and \u0027sortOrder\u0027 which are appended directly with SQL statements. A hacker/user can inject/draft the \u0027orderBy\u0027 and \u0027sortOrder\u0027 query parameter in such a way to read/update the data for which he doesn\u0027t have authorization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104005",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104005"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/4a1312b18ed2979fba9e2df07839e6a940eeeea12ed9154db1a49a5a@%3Cdev.fineract.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1289",
"datePublished": "2018-04-20T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-17T04:08:48.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1292 (GCVE-0-2018-1292)
Vulnerability from cvelistv5
Published
2018-04-20 18:00
Modified
2024-09-16 19:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/104007 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/a24610817845d022d5fe89cfe21563ef83bea35ca95de867cd2c4ee9%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.0.0 Version: 0.6.0-incubating Version: 0.5.0-incubating Version: 0.4.0-incubating |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104007",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104007"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/a24610817845d022d5fe89cfe21563ef83bea35ca95de867cd2c4ee9%40%3Cdev.fineract.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "0.6.0-incubating"
},
{
"status": "affected",
"version": "0.5.0-incubating"
},
{
"status": "affected",
"version": "0.4.0-incubating"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Within the \u0027getReportType\u0027 method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn\u0027t have authorization for by way of the \u0027reportName\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-28T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "104007",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104007"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/a24610817845d022d5fe89cfe21563ef83bea35ca95de867cd2c4ee9%40%3Cdev.fineract.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-19T00:00:00",
"ID": "CVE-2018-1292",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "1.0.0"
},
{
"version_value": "0.6.0-incubating"
},
{
"version_value": "0.5.0-incubating"
},
{
"version_value": "0.4.0-incubating"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Within the \u0027getReportType\u0027 method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn\u0027t have authorization for by way of the \u0027reportName\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104007",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104007"
},
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/a24610817845d022d5fe89cfe21563ef83bea35ca95de867cd2c4ee9@%3Cdev.fineract.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1292",
"datePublished": "2018-04-20T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T19:56:06.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25197 (GCVE-0-2023-25197)
Vulnerability from cvelistv5
Published
2023-03-28 11:17
Modified
2024-10-23 15:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract.
Authorized users may be able to exploit this for limited impact on components.
This issue affects apache fineract: from 1.4 through 1.8.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | apache fineract |
Version: 1.4 ≤ 1.8.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:09.196104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:18.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "apache fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
},
{
"lang": "en",
"type": "remediation developer",
"value": "aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:17:19.026Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25197",
"datePublished": "2023-03-28T11:17:19.026Z",
"dateReserved": "2023-02-06T01:33:31.192Z",
"dateUpdated": "2024-10-23T15:14:18.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1290 (GCVE-0-2018-1290)
Vulnerability from cvelistv5
Published
2018-04-20 18:00
Modified
2024-09-16 22:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/69cc2b54b32f0936f40dc9be41f41fe1566710a75edbe2eb0a948ae4%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/103975 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.0.0 Version: 0.6.0-incubating Version: 0.5.0-incubating Version: 0.4.0-incubating |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/69cc2b54b32f0936f40dc9be41f41fe1566710a75edbe2eb0a948ae4%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "103975",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103975"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "0.6.0-incubating"
},
{
"status": "affected",
"version": "0.5.0-incubating"
},
{
"status": "affected",
"version": "0.4.0-incubating"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-27T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/69cc2b54b32f0936f40dc9be41f41fe1566710a75edbe2eb0a948ae4%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "103975",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103975"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-19T00:00:00",
"ID": "CVE-2018-1290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "1.0.0"
},
{
"version_value": "0.6.0-incubating"
},
{
"version_value": "0.5.0-incubating"
},
{
"version_value": "0.4.0-incubating"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and retrieveCommands of MakercheckersApiResource Class."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/69cc2b54b32f0936f40dc9be41f41fe1566710a75edbe2eb0a948ae4@%3Cdev.fineract.apache.org%3E"
},
{
"name": "103975",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103975"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1290",
"datePublished": "2018-04-20T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T22:03:02.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25195 (GCVE-0-2023-25195)
Vulnerability from cvelistv5
Published
2023-03-28 11:16
Modified
2024-10-23 15:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.
Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.
This issue affects Apache Fineract: from 1.4 through 1.8.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.4 ≤ 1.8.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:15:05.674623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:16:08.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huydoppa from GHTK "
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksander"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.3.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.3.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:28.304Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SSRF template type vulnerability in certain authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25195",
"datePublished": "2023-03-28T11:16:28.304Z",
"dateReserved": "2023-02-06T01:32:05.395Z",
"dateUpdated": "2024-10-23T15:16:08.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23537 (GCVE-0-2024-23537)
Vulnerability from cvelistv5
Published
2024-03-29 14:38
Modified
2025-02-13 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:09:05.990965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:06:52.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.238Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:44.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23537",
"datePublished": "2024-03-29T14:38:05.738Z",
"dateReserved": "2024-01-18T04:59:16.245Z",
"dateUpdated": "2025-02-13T17:39:45.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5663 (GCVE-0-2017-5663)
Vulnerability from cvelistv5
Published
2017-12-14 15:00
Modified
2024-09-17 01:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- SQL Injection Vulnerability
Summary
In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of endpoints is not sanitized and appended directly to the query.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/757feeffe45a75d3c0d08b551e71fabdae5d352543be2342b6ba2c93%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 0.4.0-incubating Version: 0.5.0-incubating Version: 0.6.0-incubating |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:48.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20171213 [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/757feeffe45a75d3c0d08b551e71fabdae5d352543be2342b6ba2c93%40%3Cdev.fineract.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "0.4.0-incubating"
},
{
"status": "affected",
"version": "0.5.0-incubating"
},
{
"status": "affected",
"version": "0.6.0-incubating"
}
]
}
],
"datePublic": "2017-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The \u0027sqlSearch\u0027 parameter on a number of endpoints is not sanitized and appended directly to the query."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection Vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20171213 [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/757feeffe45a75d3c0d08b551e71fabdae5d352543be2342b6ba2c93%40%3Cdev.fineract.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-12-13T00:00:00",
"ID": "CVE-2017-5663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "0.4.0-incubating"
},
{
"version_value": "0.5.0-incubating"
},
{
"version_value": "0.6.0-incubating"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The \u0027sqlSearch\u0027 parameter on a number of endpoints is not sanitized and appended directly to the query."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection Vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20171213 [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/757feeffe45a75d3c0d08b551e71fabdae5d352543be2342b6ba2c93@%3Cdev.fineract.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-5663",
"datePublished": "2017-12-14T15:00:00Z",
"dateReserved": "2017-01-29T00:00:00",
"dateUpdated": "2024-09-17T01:05:44.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23539 (GCVE-0-2024-23539)
Vulnerability from cvelistv5
Published
2024-03-29 14:36
Modified
2025-02-13 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:15:17.746807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:07:58.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yash Sancheti of GH Solutions Consultants"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:56.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23539",
"datePublished": "2024-03-29T14:36:57.919Z",
"dateReserved": "2024-01-18T05:12:01.266Z",
"dateUpdated": "2025-02-13T17:39:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1291 (GCVE-0-2018-1291)
Vulnerability from cvelistv5
Published
2018-04-20 18:00
Modified
2024-09-16 19:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject/draft the 'orderBy' query parameter by way of the "order" param in such a way to read/update the data for which he doesn't have authorization.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/1f7fadc93500b3fe14603b132b13c18fff3d0a35e50ebd0246f325c0%40%3Cdev.fineract.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/104008 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Version: 1.0.0 Version: 0.6.0-incubating Version: 0.5.0-incubating Version: 0.4.0-incubating |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/1f7fadc93500b3fe14603b132b13c18fff3d0a35e50ebd0246f325c0%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "104008",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104008"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "0.6.0-incubating"
},
{
"status": "affected",
"version": "0.5.0-incubating"
},
{
"status": "affected",
"version": "0.4.0-incubating"
}
]
}
],
"datePublic": "2018-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter \u0027orderBy\u0027 which are appended directly with SQL statements. A hacker/user can inject/draft the \u0027orderBy\u0027 query parameter by way of the \"order\" param in such a way to read/update the data for which he doesn\u0027t have authorization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-28T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/1f7fadc93500b3fe14603b132b13c18fff3d0a35e50ebd0246f325c0%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "104008",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104008"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-04-19T00:00:00",
"ID": "CVE-2018-1291",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "1.0.0"
},
{
"version_value": "0.6.0-incubating"
},
{
"version_value": "0.5.0-incubating"
},
{
"version_value": "0.4.0-incubating"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter \u0027orderBy\u0027 which are appended directly with SQL statements. A hacker/user can inject/draft the \u0027orderBy\u0027 query parameter by way of the \"order\" param in such a way to read/update the data for which he doesn\u0027t have authorization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[dev] 20180419 [SECURITY] CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/1f7fadc93500b3fe14603b132b13c18fff3d0a35e50ebd0246f325c0@%3Cdev.fineract.apache.org%3E"
},
{
"name": "104008",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104008"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1291",
"datePublished": "2018-04-20T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T19:20:16.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}