Date: Wed, 13 Dec 2017 15:04:22 +0530 From: Nazeer Shaik <nazeer1100126@...che.org> To: user@...eract.apache.org, Dev <dev@...eract.apache.org>, oss-security@...ts.openwall.com, security <security@...che.org>, aleksandar.ivanov-2@...dent.manchester.ac.uk Subject: [SECURITY] CVE-2017-5663: Apache Fineract SQL Injection Vulnerability CVE-2017-5663: Apache Fineract SQL Injection Vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache Fineract 0.6.0-incubating Apache Fineract 0.5.0-incubating Apache Fineract 0.4.0-incubating Description: Apache Fineract exposes different REST end points to query domain specific entities with a Query Parameter 'sqlSearch' which is appended directly with SQL statements. A hacker/user can inject/draft the 'sqlSearch' query parameter in such a way to to read/update the data for which he doesn't have authorization. Mitigation: All users should migrate to Apache Fineract 1.0.0 version https://github.com/apache/fineract/tree/1.0.0 Example: A request to retrieve the Clients with displayName=Thomas GET https://DomainName/api/v1/clients?sqlSearch=displayName='Thomas' An attacker/user can use GET https://DomainName/api/v1/clients?sqlSearch= or (1==1) to retrieve all clients in the system Credit: This issue was discovered by Alex Ivanov References: http://fineract.apache.org/ https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report Regards, Apache Fineract Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.