Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
40 vulnerabilities found for fineract by apache
CVE-2025-58137 (GCVE-0-2025-58137)
Vulnerability from cvelistv5 – Published: 2025-12-12 09:21 – Updated: 2025-12-12 19:35
VLAI
Title
Apache Fineract: IDOR via self-service API
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.11.0
(semver)
Unaffected: 1.12.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:26.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:34:29.596076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:35:44.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.12.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Peter Chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "\u00c1d\u00e1m S\u00e1ghy"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Aleksandar Vidakovic"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "V\u00edctor Romero"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:21:00.374Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: IDOR via self-service API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58137",
"datePublished": "2025-12-12T09:21:00.374Z",
"dateReserved": "2025-08-26T00:04:03.552Z",
"dateUpdated": "2025-12-12T19:35:44.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58130 (GCVE-0-2025-58130)
Vulnerability from cvelistv5 – Published: 2025-12-12 09:20 – Updated: 2025-12-12 19:38
VLAI
Title
Apache Fineract: Server Key not masked
Summary
Insufficiently Protected Credentials vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.11.0
(semver)
Unaffected: 1.12.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:24.418Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:37:36.771762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:38:02.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.12.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Peter Chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jose Alberto Hernandez"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "\u00c1d\u00e1m S\u00e1ghy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficiently Protected Credentials vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0.\u0026nbsp;The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Insufficiently Protected Credentials vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0.\u00a0The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:20:06.930Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Server Key not masked",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58130",
"datePublished": "2025-12-12T09:20:06.930Z",
"dateReserved": "2025-08-25T17:22:25.418Z",
"dateUpdated": "2025-12-12T19:38:02.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23408 (GCVE-0-2025-23408)
Vulnerability from cvelistv5 – Published: 2025-12-12 09:18 – Updated: 2025-12-18 15:34
VLAI
Title
Apache Fineract: weak password policy
Summary
Weak Password Requirements vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.10.1
(semver)
Unaffected: 1.11.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:07.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:33:52.566017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:34:00.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.11.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Chen, PayPal Security"
},
{
"lang": "en",
"type": "analyst",
"value": "Kristof Jozsa, BaaSFlow"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWeak Password Requirements vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.10.1.\u0026nbsp;The issue is fixed in version 1.11.0.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Weak Password Requirements vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.10.1.\u00a0The issue is fixed in version 1.11.0.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:18:59.147Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: weak password policy",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-23408",
"datePublished": "2025-12-12T09:18:59.147Z",
"dateReserved": "2025-01-15T23:55:29.758Z",
"dateUpdated": "2025-12-18T15:34:00.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32838 (GCVE-0-2024-32838)
Vulnerability from cvelistv5 – Published: 2025-02-12 09:44 – Updated: 2025-02-12 18:03
VLAI
Title
Apache Fineract: SQL injection vulnerabilities in offices API endpoint
Summary
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter.
Users are recommended to upgrade to version 1.10.1, which fixes this issue.
A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:51:41.347771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:56:18.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-12T18:03:27.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/12/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.9",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kabilan S - Security engineer at Zoho"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksandar Vidakovic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\u003cbr\u003e\u003cbr\u003eA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u00a0\nUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\n\nA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T09:44:15.943Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: SQL injection vulnerabilities in offices API endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32838",
"datePublished": "2025-02-12T09:44:15.943Z",
"dateReserved": "2024-04-18T17:53:52.406Z",
"dateUpdated": "2025-02-12T18:03:27.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23537 (GCVE-0-2024-23537)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:38 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
Summary
Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/fq1ns4nprw2vqpkww… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/1 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , < 1.9.0
(semver)
|
|
| apache | fineract |
Affected:
0 , < 1.9.0
(custom)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:09:05.990965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:06:52.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.238Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:44.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23537",
"datePublished": "2024-03-29T14:38:05.738Z",
"dateReserved": "2024-01-18T04:59:16.245Z",
"dateUpdated": "2025-02-13T17:39:45.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23538 (GCVE-0-2024-23538)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:37 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/by32w2dylzgbqm594… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/2 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , < 1.8.5
(semver)
|
|
| apache | fineract |
Affected:
0 , < 1.8.5
(semver)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-01T19:58:21.744925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T22:45:12.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
},
{
"lang": "en",
"type": "reporter",
"value": "Majd Alasfar of ProgressSoft"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:52.233Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23538",
"datePublished": "2024-03-29T14:37:40.374Z",
"dateReserved": "2024-01-18T05:11:07.977Z",
"dateUpdated": "2025-02-13T17:39:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23539 (GCVE-0-2024-23539)
Vulnerability from cvelistv5 – Published: 2024-03-29 14:36 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/g8sv1gnjv716lx2h8… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.8.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:15:17.746807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:07:58.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yash Sancheti of GH Solutions Consultants"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:56.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23539",
"datePublished": "2024-03-29T14:36:57.919Z",
"dateReserved": "2024-01-18T05:12:01.266Z",
"dateUpdated": "2025-02-13T17:39:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25197 (GCVE-0-2023-25197)
Vulnerability from cvelistv5 – Published: 2023-03-28 11:17 – Updated: 2024-10-23 15:14
VLAI
Title
apache fineract: SQL injection vulnerability in certain procedure calls
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract.
Authorized users may be able to exploit this for limited impact on components.
This issue affects apache fineract: from 1.4 through 1.8.2.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/v0q9x86sx6f6l2nzr… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | apache fineract |
Affected:
1.4 , ≤ 1.8.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:09.196104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:18.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "apache fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
},
{
"lang": "en",
"type": "remediation developer",
"value": "aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:17:19.026Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25197",
"datePublished": "2023-03-28T11:17:19.026Z",
"dateReserved": "2023-02-06T01:33:31.192Z",
"dateUpdated": "2024-10-23T15:14:18.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25196 (GCVE-0-2023-25196)
Vulnerability from cvelistv5 – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:14
VLAI
Title
Apache Fineract: SQL injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.
This issue affects Apache Fineract: from 1.4 through 1.8.2.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/m9x3vpn3bry4fympk… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.8.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:35.403529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:44.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": " Zhang Baocheng at Leng Jing Qi Cai Security Lab"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to change or add data in certain components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users may be able to change or add data in certain components. \u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:57.603Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SQL injection vulnerability ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25196",
"datePublished": "2023-03-28T11:16:57.603Z",
"dateReserved": "2023-02-06T01:32:54.479Z",
"dateUpdated": "2024-10-23T15:14:44.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25195 (GCVE-0-2023-25195)
Vulnerability from cvelistv5 – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:16
VLAI
Title
Apache Fineract: SSRF template type vulnerability in certain authenticated users
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.
Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.
This issue affects Apache Fineract: from 1.4 through 1.8.3.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/m58fdjmtkfp9h4c0r… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.8.3
(semver)
|
|
| apache | fineract |
Affected:
1.4.0 , ≤ 1.8.3
(custom)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:15:05.674623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:16:08.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huydoppa from GHTK "
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksander"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.3.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.3.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:28.304Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SSRF template type vulnerability in certain authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25195",
"datePublished": "2023-03-28T11:16:28.304Z",
"dateReserved": "2023-02-06T01:32:05.395Z",
"dateUpdated": "2024-10-23T15:16:08.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44635 (GCVE-0-2022-44635)
Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2025-04-25 14:51
VLAI
Title
Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
Summary
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
Apache Fineract 1.8 , ≤ 1.8.0
(custom)
Affected: Apache Fineract 1.7 , ≤ 1.7.0 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:50:47.128187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:51:14.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "Apache Fineract 1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "Apache Fineract 1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-44635",
"datePublished": "2022-11-29T00:00:00.000Z",
"dateReserved": "2022-11-02T00:00:00.000Z",
"dateUpdated": "2025-04-25T14:51:14.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17514 (GCVE-0-2020-17514)
Vulnerability from cvelistv5 – Published: 2021-05-27 12:10 – Updated: 2024-08-04 14:00
VLAI
Title
disabled hostname verificiation
Summary
Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
Severity
No CVSS data available.
CWE
- Missing Hostname Verification
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://issues.apache.org/jira/browse/FINERACT-1211 | x_refsource_MISC |
| https://lists.apache.org/thread.html/rc011b25289c… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2021/05/27/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
Apache Fineract , < 1.5.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "Apache Fineract",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Hostname Verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-27T17:06:10.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "disabled hostname verificiation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17514",
"STATE": "PUBLIC",
"TITLE": "disabled hostname verificiation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Fineract",
"version_value": "1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Hostname Verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.apache.org/jira/browse/FINERACT-1211",
"refsource": "MISC",
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17514",
"datePublished": "2021-05-27T12:10:10.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20243 (GCVE-0-2018-20243)
Vulnerability from cvelistv5 – Published: 2020-10-13 18:23 – Updated: 2024-08-05 11:58
VLAI
Summary
The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629.
Severity
No CVSS data available.
CWE
- Critical
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r040d46835af… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Fineract |
Affected:
0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:18.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Critical",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-13T18:23:49.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-20243",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Critical"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-20243",
"datePublished": "2020-10-13T18:23:49.000Z",
"dateReserved": "2018-12-19T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:58:18.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11801 (GCVE-0-2018-11801)
Vulnerability from cvelistv5 – Published: 2019-06-11 16:43 – Updated: 2024-08-05 08:17
VLAI
Summary
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/32aa471180f8… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2019/05/09/1 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/108291 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Fineract |
Affected:
Apache Fineract versions before 1.3.0 are affected
|
Date Public
2019-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
],
"datePublic": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-11T16:44:54.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11801",
"datePublished": "2019-06-11T16:43:28.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11800 (GCVE-0-2018-11800)
Vulnerability from cvelistv5 – Published: 2019-06-11 16:42 – Updated: 2024-08-05 08:17
VLAI
Summary
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/32aa471180f8… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2019/05/09/1 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/108291 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Fineract |
Affected:
Apache Fineract versions before 1.3.0 are affected
|
Date Public
2019-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
],
"datePublic": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-11T16:45:50.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11800",
"datePublished": "2019-06-11T16:42:05.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58137 (GCVE-0-2025-58137)
Vulnerability from nvd – Published: 2025-12-12 09:21 – Updated: 2025-12-12 19:35
VLAI
Title
Apache Fineract: IDOR via self-service API
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.11.0
(semver)
Unaffected: 1.12.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:26.103Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:34:29.596076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:35:44.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.12.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Peter Chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "\u00c1d\u00e1m S\u00e1ghy"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Aleksandar Vidakovic"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "V\u00edctor Romero"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:21:00.374Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: IDOR via self-service API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58137",
"datePublished": "2025-12-12T09:21:00.374Z",
"dateReserved": "2025-08-26T00:04:03.552Z",
"dateUpdated": "2025-12-12T19:35:44.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58130 (GCVE-0-2025-58130)
Vulnerability from nvd – Published: 2025-12-12 09:20 – Updated: 2025-12-12 19:38
VLAI
Title
Apache Fineract: Server Key not masked
Summary
Insufficiently Protected Credentials vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.11.0
(semver)
Unaffected: 1.12.1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:24.418Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:37:36.771762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:38:02.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.12.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Peter Chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jose Alberto Hernandez"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "\u00c1d\u00e1m S\u00e1ghy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficiently Protected Credentials vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.11.0.\u0026nbsp;The issue is fixed in version 1.12.1.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Insufficiently Protected Credentials vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.11.0.\u00a0The issue is fixed in version 1.12.1.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:20:06.930Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Server Key not masked",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58130",
"datePublished": "2025-12-12T09:20:06.930Z",
"dateReserved": "2025-08-25T17:22:25.418Z",
"dateUpdated": "2025-12-12T19:38:02.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-23408 (GCVE-0-2025-23408)
Vulnerability from nvd – Published: 2025-12-12 09:18 – Updated: 2025-12-18 15:34
VLAI
Title
Apache Fineract: weak password policy
Summary
Weak Password Requirements vulnerability in Apache Fineract.
This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0.
Users are encouraged to upgrade to version 1.13.0, the latest release.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-521 - Weak Password Requirements
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.10.1
(semver)
Unaffected: 1.11.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T10:06:07.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/11/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T15:33:52.566017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T15:34:00.875Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.10.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.11.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Chen, PayPal Security"
},
{
"lang": "en",
"type": "analyst",
"value": "Kristof Jozsa, BaaSFlow"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWeak Password Requirements vulnerability in Apache Fineract.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: through 1.10.1.\u0026nbsp;The issue is fixed in version 1.11.0.\u003c/p\u003e\u003cp\u003eUsers are encouraged to upgrade to version 1.13.0, the latest release.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Weak Password Requirements vulnerability in Apache Fineract.\n\nThis issue affects Apache Fineract: through 1.10.1.\u00a0The issue is fixed in version 1.11.0.\n\nUsers are encouraged to upgrade to version 1.13.0, the latest release."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:18:59.147Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: weak password policy",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-23408",
"datePublished": "2025-12-12T09:18:59.147Z",
"dateReserved": "2025-01-15T23:55:29.758Z",
"dateUpdated": "2025-12-18T15:34:00.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32838 (GCVE-0-2024-32838)
Vulnerability from nvd – Published: 2025-02-12 09:44 – Updated: 2025-02-12 18:03
VLAI
Title
Apache Fineract: SQL injection vulnerabilities in offices API endpoint
Summary
SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints' query parameter.
Users are recommended to upgrade to version 1.10.1, which fixes this issue.
A SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:51:41.347771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:56:18.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-12T18:03:27.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/12/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.9",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kabilan S - Security engineer at Zoho"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksandar Vidakovic"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u0026nbsp;\u003cdiv\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\u003cbr\u003e\u003cbr\u003eA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Apache Fineract versions 1.9 and before have a vulnerability that allows an authenticated attacker to inject malicious data into some of the REST API endpoints\u0027 query parameter.\u00a0\nUsers are recommended to upgrade to version 1.10.1, which fixes this issue.\n\nA SQL Validator has been implemented which allows us to configure a series of tests and checks against our SQL queries that will allow us to validate and protect against nearly all potential SQL injection attacks."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T09:44:15.943Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7l88h17pn9nf8zpx5bbojk7ko5oxo1dy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: SQL injection vulnerabilities in offices API endpoint",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32838",
"datePublished": "2025-02-12T09:44:15.943Z",
"dateReserved": "2024-04-18T17:53:52.406Z",
"dateUpdated": "2025-02-12T18:03:27.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23537 (GCVE-0-2024-23537)
Vulnerability from nvd – Published: 2024-03-29 14:38 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.
Summary
Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.9.0, which fixes the issue.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/fq1ns4nprw2vqpkww… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/1 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , < 1.9.0
(semver)
|
|
| apache | fineract |
Affected:
0 , < 1.9.0
(custom)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:09:05.990965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:06:52.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.238Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.9.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.9.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:06:44.197Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fq1ns4nprw2vqpkwwj9sw45jkwxmt9f1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23537",
"datePublished": "2024-03-29T14:38:05.738Z",
"dateReserved": "2024-01-18T04:59:16.245Z",
"dateUpdated": "2025-02-13T17:39:45.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23538 (GCVE-0-2024-23538)
Vulnerability from nvd – Published: 2024-03-29 14:37 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
Severity
9.9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/by32w2dylzgbqm594… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/2 |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , < 1.8.5
(semver)
|
|
| apache | fineract |
Affected:
0 , < 1.8.5
(semver)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-01T19:58:21.744925Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T22:45:12.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yash Sancheti"
},
{
"lang": "en",
"type": "reporter",
"value": "Majd Alasfar of ProgressSoft"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:11:52.233Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/by32w2dylzgbqm5940x3wj7519wolqxs"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23538",
"datePublished": "2024-03-29T14:37:40.374Z",
"dateReserved": "2024-01-18T05:11:07.977Z",
"dateUpdated": "2025-02-13T17:39:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23539 (GCVE-0-2024-23539)
Vulnerability from nvd – Published: 2024-03-29 14:36 – Updated: 2025-02-13 17:39
VLAI
Title
Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5.
Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cwiki.apache.org/confluence/display/FINER… | vendor-advisory |
| https://lists.apache.org/thread/g8sv1gnjv716lx2h8… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2024/03/29/3 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
0 , ≤ 1.8.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:15:17.746807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:07:58.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yash Sancheti of GH Solutions Consultants"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.\u003cp\u003eThis issue affects Apache Fineract: \u0026lt;1.8.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Fineract.This issue affects Apache Fineract: \u003c1.8.5.\n\nUsers are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T17:09:56.568Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/g8sv1gnjv716lx2h89jbvjdgtrrjmy7h"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23539",
"datePublished": "2024-03-29T14:36:57.919Z",
"dateReserved": "2024-01-18T05:12:01.266Z",
"dateUpdated": "2025-02-13T17:39:46.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25197 (GCVE-0-2023-25197)
Vulnerability from nvd – Published: 2023-03-28 11:17 – Updated: 2024-10-23 15:14
VLAI
Title
apache fineract: SQL injection vulnerability in certain procedure calls
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation apache fineract.
Authorized users may be able to exploit this for limited impact on components.
This issue affects apache fineract: from 1.4 through 1.8.2.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/v0q9x86sx6f6l2nzr… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | apache fineract |
Affected:
1.4 , ≤ 1.8.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:09.196104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:18.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "apache fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eugene Lim at Cyber Security Group (CSG) Government Technology Agency GOVTECH.sg"
},
{
"lang": "en",
"type": "remediation developer",
"value": "aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to exploit this for limited impact on components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects apache fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation apache fineract.\nAuthorized users may be able to exploit this for limited impact on components. \u00a0\n\nThis issue affects apache fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:17:19.026Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/v0q9x86sx6f6l2nzr1z0nwm3y9qlng04"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "apache fineract: SQL injection vulnerability in certain procedure calls ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25197",
"datePublished": "2023-03-28T11:17:19.026Z",
"dateReserved": "2023-02-06T01:33:31.192Z",
"dateUpdated": "2024-10-23T15:14:18.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25196 (GCVE-0-2023-25196)
Vulnerability from nvd – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:14
VLAI
Title
Apache Fineract: SQL injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache Fineract.
Authorized users may be able to change or add data in certain components.
This issue affects Apache Fineract: from 1.4 through 1.8.2.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/m9x3vpn3bry4fympk… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.8.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:14:35.403529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:14:44.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": " Zhang Baocheng at Leng Jing Qi Cai Security Lab"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleks@apache.org"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users may be able to change or add data in certain components. \u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users may be able to change or add data in certain components. \u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.2.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:57.603Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m9x3vpn3bry4fympkzxnnz4qx0oc0w8m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SQL injection vulnerability ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25196",
"datePublished": "2023-03-28T11:16:57.603Z",
"dateReserved": "2023-02-06T01:32:54.479Z",
"dateUpdated": "2024-10-23T15:14:44.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25195 (GCVE-0-2023-25195)
Vulnerability from nvd – Published: 2023-03-28 11:16 – Updated: 2024-10-23 15:16
VLAI
Title
Apache Fineract: SSRF template type vulnerability in certain authenticated users
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.
Authorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.
This issue affects Apache Fineract: from 1.4 through 1.8.3.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/m58fdjmtkfp9h4c0r… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
1.4 , ≤ 1.8.3
(semver)
|
|
| apache | fineract |
Affected:
1.4.0 , ≤ 1.8.3
(custom)
cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fineract",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-25195",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:15:05.674623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:16:08.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.3",
"status": "affected",
"version": "1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Huydoppa from GHTK "
},
{
"lang": "en",
"type": "remediation developer",
"value": "Aleksander"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\u003cbr\u003e\u003cp\u003eAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects Apache Fineract: from 1.4 through 1.8.3.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache Fineract.\nAuthorized users with limited permissions can gain access to server and may be able to use server for any outbound traffic.\u00a0\n\nThis issue affects Apache Fineract: from 1.4 through 1.8.3.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T11:16:28.304Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/m58fdjmtkfp9h4c0r4l48rv995w3qhb6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Fineract: SSRF template type vulnerability in certain authenticated users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25195",
"datePublished": "2023-03-28T11:16:28.304Z",
"dateReserved": "2023-02-06T01:32:05.395Z",
"dateUpdated": "2024-10-23T15:16:08.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44635 (GCVE-0-2022-44635)
Vulnerability from nvd – Published: 2022-11-29 00:00 – Updated: 2025-04-25 14:51
VLAI
Title
Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
Summary
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
Apache Fineract 1.8 , ≤ 1.8.0
(custom)
Affected: Apache Fineract 1.7 , ≤ 1.7.0 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:50:47.128187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:51:14.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "Apache Fineract 1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "Apache Fineract 1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-44635",
"datePublished": "2022-11-29T00:00:00.000Z",
"dateReserved": "2022-11-02T00:00:00.000Z",
"dateUpdated": "2025-04-25T14:51:14.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-17514 (GCVE-0-2020-17514)
Vulnerability from nvd – Published: 2021-05-27 12:10 – Updated: 2024-08-04 14:00
VLAI
Title
disabled hostname verificiation
Summary
Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
Severity
No CVSS data available.
CWE
- Missing Hostname Verification
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://issues.apache.org/jira/browse/FINERACT-1211 | x_refsource_MISC |
| https://lists.apache.org/thread.html/rc011b25289c… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2021/05/27/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
Apache Fineract , < 1.5.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:48.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "Apache Fineract",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing Hostname Verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-27T17:06:10.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "disabled hostname verificiation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-17514",
"STATE": "PUBLIC",
"TITLE": "disabled hostname verificiation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Fineract",
"version_value": "1.5.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing Hostname Verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.apache.org/jira/browse/FINERACT-1211",
"refsource": "MISC",
"url": "https://issues.apache.org/jira/browse/FINERACT-1211"
},
{
"name": "[fineract-dev] 20210527 Re: Release 1.5.0 fixed security issue CVE-2020-17514",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20210527 CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/05/27/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-17514",
"datePublished": "2021-05-27T12:10:10.000Z",
"dateReserved": "2020-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:00:48.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20243 (GCVE-0-2018-20243)
Vulnerability from nvd – Published: 2020-10-13 18:23 – Updated: 2024-08-05 11:58
VLAI
Summary
The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629.
Severity
No CVSS data available.
CWE
- Critical
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r040d46835af… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Fineract |
Affected:
0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:18.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Critical",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-13T18:23:49.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-20243",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The implementation of POST with the username and password in the URL parameters exposed the credentials. More infomration is available in fineract jira issues 726 and 629."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Critical"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r040d46835aff3c192656b549ca82f62d87fb044ef9a9dd49408b49b4%40%3Cdev.fineract.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-20243",
"datePublished": "2020-10-13T18:23:49.000Z",
"dateReserved": "2018-12-19T00:00:00.000Z",
"dateUpdated": "2024-08-05T11:58:18.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11801 (GCVE-0-2018-11801)
Vulnerability from nvd – Published: 2019-06-11 16:43 – Updated: 2024-08-05 08:17
VLAI
Summary
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/32aa471180f8… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2019/05/09/1 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/108291 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Fineract |
Affected:
Apache Fineract versions before 1.3.0 are affected
|
Date Public
2019-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
],
"datePublic": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-11T16:44:54.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on a m_center data related table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11801",
"datePublished": "2019-06-11T16:43:28.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11800 (GCVE-0-2018-11800)
Vulnerability from nvd – Published: 2019-06-11 16:42 – Updated: 2024-08-05 08:17
VLAI
Summary
SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table.
Severity
No CVSS data available.
CWE
- SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/32aa471180f8… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2019/05/09/1 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/108291 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Fineract |
Affected:
Apache Fineract versions before 1.3.0 are affected
|
Date Public
2019-05-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:09.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
],
"datePublic": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-11T16:45:50.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf%40%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108291"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2018-11800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Fineract",
"version": {
"version_data": [
{
"version_value": "Apache Fineract versions before 1.3.0 are affected"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Apache Fineract before 1.3.0 allows attackers to execute arbitrary SQL commands via a query on the GroupSummaryCounts related table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[fineract-dev] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/32aa471180f8978b5f0ed64fcd862769f73c40bbe6cb948abdc899bf@%3Cdev.fineract.apache.org%3E"
},
{
"name": "[oss-security] 20190509 [CVE-2018-11800] and [CVE-2018-11801] Apache Fineract SQL Injection Vulnerabilities fixed in v1.3.0",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/09/1"
},
{
"name": "108291",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108291"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-11800",
"datePublished": "2019-06-11T16:42:05.000Z",
"dateReserved": "2018-06-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T08:17:09.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}